The question is not who you trust - ARC doesn't directly change that - but how you reliably automate determining whether the message was forwarded only by people that you trust. At present, you have to dig through Received: headers, infer per-forwarder internal structure and behaviour and, frequently, guess. ARC addresses that problem, not the one you're asking about.
The amount of discussion to date about specific historical whitelist proposals is neither here nor there. The question is whether ARC's degree of support for reliable automatic chain-of-custody assessment provides a material improvement for a group of receivers interoperating with a group of forwarders. So long as the answer to that question is yes, then this is progress. I'd suggest that: * large receivers are generally keen to implement things that materially improve their ability to separate wheat from chaff (ARC does this if it's implemented by any significant subset of mailing-list operators), and * at least some of the mailing-list operators whose discomfort with DMARC interoperation is the need to disrupt long-traditional norms (leaving From: unchanged but tagging Subject:, stripping multiparts, adding footers, ...) will be willing to perform ARC processing on messages on the way in, in order to interoperate without giving up traditional mailing-list operations. If these are both true, then ARC is a clear benefit. - Roland [http://www.trustsphere.com/images/signatures/trustsphere.png]<https://www.trustsphere.com> Roland Turner | Labs Director Singapore | M: +65 96700022 roland.tur...@trustsphere.com<mailto:roland.tur...@trustsphere.com> ________________________________ From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org> on behalf of Scott Kitterman via dmarc-discuss <dmarc-discuss@dmarc.org> Sent: Friday, 23 October 2015 12:31 To: DMARC Discussion List Subject: Re: [dmarc-discuss] A bit quiet? If I trust the sender enough to override DMARC policy results, what more does ARC add? I thought we'd already discussed the idea of the non-scalability of whitelists to death. Absent a trusted sender whitelist, what can you do with ARC? Scott K On October 22, 2015 11:03:59 PM EDT, Roland Turner via dmarc-discuss <dmarc-discuss@dmarc.org> wrote: Broadly, yes. You'd need to trust the entire chain of ARC-signing forwarders of course. - Roland [http://www.trustsphere.com/images/signatures/trustsphere.png]<https://www.trustsphere.com> Roland Turner | Labs Director Singapore | M: +65 96700022 roland.tur...@trustsphere.com<mailto:roland.tur...@trustsphere.com> ________________________________ From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org> on behalf of Scott Kitterman via dmarc-discuss <dmarc-discuss@dmarc.org> Sent: Friday, 23 October 2015 10:42 To: DMARC Discussion List Subject: Re: [dmarc-discuss] A bit quiet? Okay. If I implement ARC as a receiver, then I ignore p=reject from Senders I trust not to lie to me if it passes ARC? Scott K On October 22, 2015 10:15:24 PM EDT, Roland Turner via dmarc-discuss <dmarc-discuss@dmarc.org> wrote: ARC provides a standardised, software-implementable, means for trustworthy forwarders to implement chain-of-custody records and therefore for receivers to reliably and simply automate assessments about messages received through trustworthy paths that are currently both generally too complicated to make other than by hand and - for longer forwarding chains than author->list->recipient - depend upon trusting untrustworthy data from several hops upstream. The decisions about who to trust remain more-or-less those which receivers already make, ARC extends the distance that that trust can be algorithmically extended. An untrusted bad guy gains nothing, except against a naive receiver who imagines that ARC is magic. See also naive receivers assuming that SPF passing meant that a message was not spam. Likewise DKIM passing. Likewise DMARC passing. The important change here is that, in addition to incorporating an assessment of the trustworthines! s of the author and/or the last hop, assessments of the trustworthiness of forwarders enter the picture. - Roland Roland Turner | Labs Director Singapore | M: +65 96700022 roland.tur...@trustsphere.com ________________________________ From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org> on behalf of Scott Kitterman via dmarc-discuss <dmarc-discuss@dmarc.org> Sent: Friday, 23 October 2015 04:44 To: dmarc-discuss@dmarc.org Subject: Re: [dmarc-discuss] A bit quiet? On October 22, 2015 1:19:51 PM EDT, Franck Martin via dmarc-discuss <dmarc-discuss@dmarc.org> wrote: The fun is moving to ARC https://dmarc.org/2015/10/global-mailbox-providers-deploying-dmarc-to-protect-users/ How does that actually help? At least as I read the draft, anyone can make up a 'bad' message and an associated made up DKIM signature and then add their ARC stamp claiming the signature was valid when the message arrived? Scott K ________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html) ________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html) -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
