On 7/29/10 9:35 PM, Dave CROCKER wrote:
Folks need to take note of the fact that a problem that is created by added
functionality which is needed by only specialized scenarios is probably best
not
"fixed" by adding more mechanism.
Dave,
The TPA-Label draft offers an ADSP practice that will not disrupt MLM,
or other types of informal third-party services. These practices will
not depend upon changes in third-party services. In other words, it
does not depend upon other mechanisms. It is limited to ADSP. Changes
to ADSP will not impact the few existing domains current, limited, and
problematic ADSP practices.
For domains that will benefit by a strong ADSP anti-phishing stratagem
and also wish to use informal third-party services, the overhead of
providing authorization should not be a hardship. It will likely
require informing their users of an internal webpage where requests for
these service can be authorized. Perhaps the industry might even
establish a comprehensive list of these informal third-party services,
where any outbound traffic to any of these domains could automatically
generate needed authorizations, or offer immediate feedback to users
without any problematic message even being sent.
Prior to authorization, only a few minor checks are needed, which also
could be compiled in the industry list of these services.
1) the email-address of the subscriber is confirmed by a pingback
message.
2) the messages from the list can be recognized by way of annotation,
list-id header fields, etc.
If these two elements are met, using "tpa-sig" or "tpa-path" assertions
in ADSP practice should offer adequate anti-phishing protection.
Authorization can be quickly withdrawn when a problem is reported.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html