Re: [dmarc-ietf] Third Party Sender DMARC Adaptations

Thu, 02 Apr 2015 12:42:39 -0700 

On 04/02/2015 07:59 PM, Murray S. Kucherawy wrote:
On Thu, Apr 2, 2015 at 6:59 AM, Anne Bennett <[email protected] <mailto:[email protected]>> wrote: 

    > As I recall this was considered during the development of DKIM originally,
    > exactly for this reason.  We rejected it because we couldn't
    come up with a
    > safe description of what a tag should look like. If arbitrary
    text is
    > allowed in there, then one could "tag" a spam URL at the front of a
    > legitimate message's Subject field and the signature would still
    pass.

    Right, but if that tag were explicitly deemed to be excluded
    from the signature, it could be handled differently.  Hmm, but
    if this resulted in (for example) the tag not being displayed,
    then we would have gained nothing in the case of mailing lists.



Handled by whom?  If we're talking about telling MUAs "Don't render 
the unsigned part of the content the same way as the signed content", 
then a bunch of additional complexities begin to appear:



- MUAs now need to know how to do DKIM themselves, so that they know 
what parts were signed and what parts were not; alternatively, we need 
a way to signal between the DKIM verifier and the MUA what parts are 
safe to render, beyond what Authentication-Results already provides



- We're wandering into conversations about how MUAs should interact 
with users, which this community typically avoids like a terrible allergy



- Even if the above aren't problems, we're relying on MUAs to adapt to 
this change in a relatively short period of time


Here be dragons.



if DMARC is really the succes that dmarc.org claims it is [1] and with 
so many of the big ESPs around here [2] I fail to see why it would be so 
difficult to involve the MUA developers of these same ESPs?


/rolf


P.S. I only noticed today the significant organizational change of 
dmarc.org [3] and the fact that this 'new' dmarc.org has only two 
founding sponsors.



[1] 
http://dmarc.org/2015/02/dmarc-is-a-proven-tool-in-the-fight-against-fraudulent-email/

[2] http://dmarc.org/about/history/
[3] http://dmarc.org/about/


_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc




























					Reply via email to