On 9/27/10 3:13 PM, Murray S. Kucherawy wrote:
On Monday, September 27, 2010 3:02 PM, Douglas Otis wrote:
You have placed TPA information in a domain not below
"_domainkey.<signing-domain>". This increases the response size by 11
bytes with a trade-off of making delegations to signing mail providers
more difficult. I am open to either approach, however only DKIM makes
this scheme practical.
How does it make something more difficult?
Two zones might need delegation instead of just one.
At the same time, unless authorizations can defend against
likely abuse, that too would render efforts unusable. The additional
information also benefits the recipient when it simplifies their
process and increases the number of messages being properly marked for
rejection.
I don't really want to conduct an experiment that includes myriad optional
policy specifications without some operational data to suggest they stand a
chance of adoption. Simpler is better.
Agreed, but not having a defense against trivial exploitation of an
authorization is not better. When a defensive requirement proves
unused, it can be removed without impact. Since this information sets
authorization requirements, adding the information at a later date would
not be compatible with existing implementations.
Perhaps we can work on the bare essentials independent of the notation used.
Types of authentication that might be used for existing third-party
services-
1) DKIM
2) TLS
3) SPF
4) EHLO/ADR
Additional header field requirements ensure message sorting or
presentation. The header field requirement is to offer simple tactics
against most phishing exploits:
a) Sender
b) List-ID
One could describe the current ADSP scheme as being "simple". Simple
is not better when only ~200 out of 20,000 phished domains use the
mechanism intended to mitigate the negative impact caused when users
wonder about spoofed messages. The result of wondering is they might
decide to curtail future business with the domain, which likely has a
greater impact than losses due to fraud.
The MLM recommendation of using different sub-domains ignores the fact
that most recipients don't understand name changes on the right or the
left of a recognizable name. Name recognition is improved when a single
name is always used. The most visible name to recipients is the domain
found in the From header, whether used as a basis for sorting, or when
displayed in addition to that of the friendly name.
It is unfortunate, the From header field is not always emitted by
servers controlled by the Author Domain. The TPA-Label scheme seeks a
means to retain a reasonable level of authentication compliance without
mandating an often unobtainable requirement that messages only be
emitted by Author Domains. In many cases, transparent authorization
techniques are simply not practical, nor will any neutral status offer
the proactive protections needed to mitigate phishing.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html