[ietf-dkim] list vs contributor signatures, was Wrong Discussion
bmcdowell at paypal.com
Thu Apr 29 12:02:23 PDT 2010
(oops, sorry, it was an issue Al raised, not John... in any event here's my answer)
On Apr 29, 2010, at 1:23 PM, Al Iverson wrote:
> On Thu, Apr 29, 2010 at 11:58 AM, McDowell, Brett <bmcdowell at paypal.com> wrote:
>> On Apr 28, 2010, at 2:11 PM, John R. Levine wrote:
>>>> Your proposal that MLM remove Signatures would cause restrictive
>>>> policies to fail.
>> Which is why I oppose this proposal.
> As John Levine mentioned previously, your own posts to this list fail
> authentication and end up in many of our spam folders because of
> Paypal's SPF policy. I'm not against strong authentication policies --
> but I'm wondering how you personally expect to be able to post to
> mailing lists without acceptance of this proposal? The status quo
> interferes with your ability currently, and broader adoption of
> authentication on the receiving side will only make it worse.
It's a question of priority and timing.
Priority: it's more important to us that cyber criminals not be systemically enabled to leverage MLM systems to bypass email authentication flows and consumer protection policies designed to block their attacks... the attacks that, if not for the MLM intermediary, would have been blocked thanks to DKIM+ADSP and the voluntary compliance to ADSP policies by certain ISP's/Mailbox Providers.
Timing: therefore, until the standards community enables MLM systems to maintain (if they wish) the integrity of DKIM/ADSP-enabled message authentication flows that exist today (and are on the rise) and would successfully deliver authenticated mail if not for the intervention of the MLM system, our consumer protection policy has this apparent consequence on PayPal employees that participate in certain public mail lists -- the ones that break or strip DKIM signatures -- that would lead us to have to perform workarounds as the issues are discovered.
It's not ideal for me personally, but more importantly it's not ideal for any sender trying to leverage these technologies to improve consumer protection. That's why I'm here trying to advocate for a *solution* which Murray's proposal just might be the basis for, but I humbly assert John's is not.
I'd characterize the X-Y-Z proposal from Murray as having some hope of solving the problem without dismissing the current consumer protection values of DKIM+ADSP, and John's proposal as something akin to giving up on ever seeing authenticated mail survive MLM intermediaries.
More information about the ietf-dkim