[ietf-dkim] list vs contributor signatures, was Wrong Discussion
ietf-dkim at kitterman.com
Wed Jun 2 09:16:06 PDT 2010
"John Levine" <johnl at iecc.com> wrote:
>>Similarly, with ADSP you don't have to rely on published information, and
>>when information is published, you don't have to guess whether the
>>publisher is competent. You can maintain your own list of domains that you
>>trust to get ADSP right, and use standard software to apply that judgement.
>Manual drop lists are a fine idea, but what do they have to do with ADSP?
>>1. Code reuse: Although you may choose to maintain your drop list, you
>>don't have to write software for your MTA, you can just configure it.
>I'm happy to reuse the manual drop code in Spamassassin. I still don't
>see what it has to do with ADSP.
>>2. Discoverability: You can find out from ADSP publications that the sender
>>cares about this stuff. OK, it's still a leap to add them to your drop
>>list, but you do at least have somewhere to start.
>Here's a thought experiment: let's say you have your list of domains
>that are known to be phish targets that sign their mail, so you drop
>unsigned mail, and they all happen to publish ADSP. Someone's ADSP
>record goes away. Is it more likely that they've stopped signing
>their mail, or that their ADSP record is temporarily messed up? Why?
Or, I suspect most likely, they thought they were signing everything and then later something changed or they discovered they missed a piece of their infrastructure, so they've retracted the policy until they've corrected the problem.
More information about the ietf-dkim