On Mon, 1 Aug 2011, Douglas Otis wrote:
This would be a safe method to extend policy without requisite two
party coordination as currently expected by DKIM.
The problem is that for the majority of From: domains claimed in incoming
mail, the TPA approach is just as unfeasable as "two party
coordination". The problem is not the lack of a language for the
alleged-sender to express detailed policy -- it is that the alleged-sender
doesn't have a fully detailed policy to express. The real communication
barrier is between the DNS admin for a domain, and the end users who have
mailboxes on that domain. An end-user would have to be exceptionally
computer literate in order to help his admin publish a correct TPA policy.
While *phishers* may see no point in forging that class of domain, a
layered protocol (ADSP or successor/replacement) that makes no attempt to
defend those domains is not worthwhile for me to deploy *as an MX admin*.
Which means blatant phish with a single From: and no signature could sail
right through.
The best that the administration of such domains can offer, is a claim
that the end-users have been trained to always use the official
smarthost, and thus every non-mailing-list mail will be signed.
It's weak, but it's far better than nothing. For some recipients, such as
myself, it would be as useful as discardable. I know that anything that
smells enough like a mailing list to invoke the loophole, yet hasn't
already been diverted by my whitelists, is junk.
---- Michael Deutschmann <michael(_at_)talamasca(_dot_)ocis(_dot_)net>
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html