On 7/29/10 6:46 PM, Alessandro Vesely wrote:
On 29/Jul/10 14:46, Douglas Otis wrote:
The TPA-Label approach does _not_ depend upon changes made by
the mailing-list! The TPA-Label limits change to code already
handling ADSP records, and of course to domains making ADSP
assertions. There is only a small number of domains making
actionable ADSP assertions. The TPA-Label would allow Author
Domains a means to assert explicit exceptions when processing
their restrictive ADSP assertions.
I agree that TPA-Label would make it more practical to use policies
other than "unknown". However, I have the feeling that it is more
useful for small domains that want to use external services, than for
mailing lists. For a large domain whose users are free to subscribe
to any list, I see two major concerns:
1. There is no standard way for the domain to learn when any of its
users subscribe to a new list. In practice, users would have to
check whether the relevant TPA already exists, and possibly apply for
it internally, before subscribing.
Disagree. Likely most of the domains being heavily phished are already
required to careful monitor outbound traffic. If the industry were to
compile a list of informal third-party service domains, along with their
recommended TPA-Label assertions, any outbound traffic could quickly
confirm whether authorization had been granted, and use the compiled
list to automatically generate the authorization, or simply point their
"_tpa" list to such an industry list already being published, or
immediately reject the message and inform the user they need to find a
different alternative.
Any recommendation that suggests a targeted and recognized domain should
start using other domains or subdomains to conduct public exchanges
simply creates new avenues for phishing and will cause greater recipient
confusion. In other words, a very bad practice.
2. Granting a TPA implies a good degree of trust. I don't think
/any/ mailing list would obtain a TPA from, say, PayPal; the sites
who would could then be trusted "by proxy" by anyone who takes
PayPal's assessments for good...
Most mailing lists would be safe for a domain in their position to
authorize. Most who subscribe already sort these messages. The
TPA-Label can even ensure whether a message came from the authorized
list. Any mailing list that confirms subscriptions, and adds typical
annotations should be safe to authorize. Of course, things like A-R
headers would be better.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html