On 10/2/10 11:13 PM, Michael Deutschmann wrote:
On Tue, 28 Sep 2010, Steve Atkins wrote:
Putting it in the List-Unsubscribe header that's not displayed
to recipients is pretty much equivalent to putting it in the X-Bamboozle
header that's not displayed to recipients when it comes to displaying
legally required content to recipients.
And there's the rub. The problem is that a major threat we anticipate,
is that should a means be added to append a footer without breaking the
signature, bad guys will find short legitimate messages and replay them
with a footer containing spam.
Requiring the list garbage (and thus the spam) to be in X-Bamboozle:
headers would make this problem far less likely, since forgery recipients
would not likely see the spam. But as you say, it is not adequate for the
lawyers. They demand the same visibility a spammer would want.
Sorry for mixing threads, but in comparison the TPA-Label scheme does
not depend upon new headers being added by the Author Domain.
Additional authentication and header requirements applied against
specific domains is to better isolate mail streams handled by specific
services such as those of a mailing-list.
The intent of the third-party authorization with authentication methods
and possible header requirements is to establish restrictive policies
that can be applied against non-participating mailing-lists. When a
domain can not be confirmed via DKIM, then TLS, EHLO, or SPF
verifications can be required instead, where additional header fields
containing a specific domain (which can differ from the verified domain)
can be used to confirm a specific service being authorized.
In general, once the mailing-list service has been confirmed, and the
Author Domain knows the mailing-list confirms subscriptions, it would be
reasonable to assume that messages from the list will be handled
differently from those messages received directly. The third-party
authorization can also act as a fall-back method that might be desired
to recover from damaged DKIM signatures.
Over time, signature damage should be less of an issue, but third-party
services such as mailing-lists, e-vites, etc. can not be permitted using
the simplistic ADSP restrictive assertions based solely upon the From
header field. The time before mailing-lists change their handling may
be forever, since many recipients would like to see current practices
continue, so the TPA-Label scheme is not expecting these services to change.
The TPA-Label scheme enables the practices needed to combat phishing.
It would be a bad practice to utilize multiple sub or cousin domain
lacking any acceptance restrictions. It would not be reasonable to
assume recipients are able to make sense of the resulting mail streams,
where the current trend shows their dissatisfaction with them not
continuing to use the service.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html