[ietf-dkim] draft-ietf-dkim-mailinglists-02 review
Scott Kitterman
ietf-dkim at kitterman.com
Fri Sep 10 16:10:32 PDT 2010
"Steve Atkins" <steve at wordtothewise.com> wrote:
>
>On Sep 10, 2010, at 3:46 PM, Scott Kitterman wrote:
>
>> On Friday, September 10, 2010 06:37:46 pm Steve Atkins wrote:
>>> On Sep 10, 2010, at 2:31 PM, Scott Kitterman wrote:
>>>>
>>>
>>> I don't think it inoculates them against ADSP problems - rather
>>> it opens them up to violations of the security model that ADSP
>>> would like to impose.
>>>
>> This is only true if John is wrong and mailing lists are a vector that we need
>> to worry about.
>
>
>Doing what you suggest would avoid the problems of legitimate
>email being discarded due to ADSP/mailing list interactions at
>the cost of allowing phishers to send email "from" a sender
>violating the ADSP security model simply by pretending to be
>a mailing list.
>
>> I happen to generally agree with him on this.
>
>Me too. But you're breaking the ADSP security model for all
>email with your suggestion. Note that neither of the examples
>I gave involved me sending a phishing email via a mailing
>list.
>
I don't think it breaks it. It avoids it and I think that's fine.
Whatever limited value ADSP provides, it is only relevant to exact domain phishing. What we are describing is a putative weakness that's already beyond it's design scope.
Scott K
More information about the ietf-dkim
mailing list