[ietf-dkim] Is anyone using ADSP? - bit more data from the receiving side
steve at wordtothewise.com
Mon Oct 12 23:26:36 PDT 2009
On Oct 12, 2009, at 10:14 PM, hector wrote:
> John R. Levine wrote:
>>> Shorter summary: The WG charter says there should be
>> Yes, there was considerable naive optimism in the charter.
>> We all agree that it would be great to have a scheme to spoof-proof
>> But ADSP isn't it, for the reasons we've all gone over,
> which were?
>> no matter how much we might wish that it were.
> -1. The only wish I have is that stop injecting misinformation.
> Any domain that publishes a DKIM=DISCARDABLE and for any receiver that
> supports ADSP will immediately protect the Author Domain and the
> receiver system from further abuse from:
> 1) ALL legacy (non-signed mail) DOMAIN spoof attempts at
> the receiver.
> 1) All 3rd party signed mail NOT EXPECTED by the Author Domain
> regardless if its was a malicious reply or a stupid list
> server ignoring RFC 5617.
> Both are huge immediate payoffs for the domain and receiver. To deny
> this high benefit is being intentionally ignorant.
To recap, for those who are just joining us, or who haven't been
There are two entirely separate things connected to the sender domain
that one might consider protecting. One is the byte sequence used in
the domain name. The other is the "brand".
The byte sequence can be protected (sort of) via ADSP, but has close
to no value for brand protection or phishing protection.
The "brand" cannot be protected solely via ADSP, at all, not in any
By that I mean that it's possible to protect the byte sequence paypal.com
to some limited degree, but that that is operationally meaningless
without any way to distinguish between "paypal.com" and "paypa1.com",
or between "citibank.com" and "citibankonline.com", including more
opaque homoglyph domain names based on non-ascii character sets, and
so on and so forth. Unicode technical report #36 is well worth a read
for anyone unfamiliar with the homoglyph issue.
paypa1.com can be protected using DKIM and ADSP in any way that paypal.com
can, so if ADSP can make paypal.com a "safe" or "unforged" or "not a
phish" domain then it can do exactly the same thing forpaypa1.com.
In order to protect the paypal.com brand from brand dilution or
phishing you need a way to differentiate the two cases.
This has been explained repeatedly on this list, and there's been no
credible suggestion that it's not true. ADSP can protect byte
sequences. But protecting byte sequences cannot, in itself, provide
much in the way of brand protection or anti-phishing functionality.
As a rule of thumb, if you are going to assert that any protocol will
protect the "paypal" brand you need to demonstrate that the protocol
can return a binary "good" vs "bad" result, and that that protocol
will return different results for "paypal.com" and for "paypa1.com".
DKIM cannot do that. Nor can ADSP. Therefore, neither protocol can
provide any brand protection, nor any phishing protection.
It's possible (likely, in fact) that a protocol that uses DKIM or ADSP
as part of it's implementation could provide some level of brand
protection, but discussing just the ADSP or DKIM part in the context
of phishing or brand protection without discussing the section of the
protocol that actually provides the brand protection is simply wasting
More information about the ietf-dkim