[ietf-dkim] list vs contributor signatures, was Wrong Discussion
bmcdowell at paypal.com
Fri Apr 30 14:33:51 PDT 2010
On Apr 30, 2010, at 11:05 AM, Michael Thomas wrote:
> On 04/30/2010 07:38 AM, McDowell, Brett wrote:
>> On Apr 30, 2010, at 10:23 AM, Michael Thomas wrote:
>>> On 04/30/2010 07:05 AM, McDowell, Brett wrote:
>> But since mailbox providers already manage reputation at scale, how much of a burden is adding this bit to the mix? Remember this only affects mailbox providers who have decided to do DKIM blocking based on ADSP discardable policies (for some, if not all senders).
> Let's put aside whether there's something new here for the moment (i've not had my
> coffee yet...). By all rights, we should not be having this conversation right now
> at all because you have set adsp discardable. So even if we adopted some bcp-like
> advise for mlm and receivers, it would be years if not forever before we could have
> a reliable conversation on this and other lists again. Maybe at paypal that's an
> acceptable tradeoff (?), but at my previous employer, all standards work, for one,
> would cease and there would be lots of engineers with pitchforks and torches.
> So what I'm getting at here is that I'm having a hard time understanding how the
> bootstrap doesn't fail for most sending/receiving entities. As I'm sure you know,
> false positives drive mail admins to complete distraction... which is the situation
> it looks to me that you're willing setting up.
> That said, you (paypal) are far braver than I am, but if you can make this to work
> somehow as a large enterprise that would be a pretty amazing accomplishment.
Talking about the status quo is to talk about how every ISP/MBP (btw, is it common practice to refer to a "mailbox provider" as a MBP?) has decided to deal with "discardable" ADSP policies given they ALL KNOW that some common Internet practices break DKIM. I'm not sure why that's a useful discussion to have in this forum. I thought we wanted to talk about how to change the status quo so DKIM signatures aren't made irrelevant by common Internet mail practices like MLM's.
Just so everyone knows, even some of the ISP/MBP's working with us who are equally committed to curbing paypal.com phishing attacks by means of DKIM and ADSP, are sorting out how they want to handle the gray areas when they see evidence that the message was 'probably validate-able' when it started but something that is 'probably not criminal' happened along the way so I can no longer validate... so let me... make it up as I go and iterate until the standards evolve to remove/reduce this problem.
That in fact is why my emails *are* being delivered to at least one gmail.com user on this list.
So the status quo is ugly at best.
Is there any will in this group (aside from my own) to evolve the standards to improve the status quo?
Are the rest of you as concerned about the damage fraud messaging can have to a user's computer, identity, and all systems on the Internet accessible from that computer? I know I don't have to say this, but... this isn't just about stopping annoying ads for viagra. And it isn't just about financial institutions' monetary losses due to account takeover attacks enabled by phishing. It's about the trustworthiness of the Internet and addressing the A#1 channel criminals use today to undermine the integrity of this amazing infrastructure all of us have enjoyed and many of *you* have created.
More information about the ietf-dkim