On 4/27/2015 6:20 PM, Scott Kitterman wrote:
Lets not lump "mailing list" into the same kind or group of MLM
operations. I care. I have a product to market. As a side note,
there is a legal argument to make when a MLM has intentionally ignored
a security protocol designed to protect a domain and end-users.
Claims of MalPractice and Intentional Neglect can easily be made.
There is most certainly, product liability issues. Can't have it both
ways.
I'm not aware of any cases where someone was successfully sued for not
implementing something that's optional.
Reread what I said. There is most certainly product liability
concerns. You don't have to wait until a lawsuit occurs to know what
is the ethical, common sense engineering thing to do that will
minimize both technical and legal contention. The dilemma with
this is the same as it was ADSP -- the MLM receiver can not skip a
DKIM policy protocol and also do resigning.
With a 3rd authorization scheme in place, the MLM SHOULD only work on
the relaxed policies.
The point is not what the MLM does, but what the MLM RECEIVER does.
It MUST also be a DMARC compliant system too as a protocol design
presumption.
So as I always said, the first rule of thumb is to follow the honor
protocol first. And if that doesn't make sense, then its broken.
DMARC is an incomplete protocol until it offers support for ADID !=
SDID conditions whether its deemed feasible or not by some.
As a mail receiver, they can accept or reject mail based on DMARC policies and
be compliant as a receiver. That helps not at all when the mediator later
modifies the message so a DKIM signature breaks.
If the policy is relaxed, then it doesn't matter.
DMARC may be incomplete, but it's sufficiently complete for large scale
deployment.
Dimensional Analysis -- what works for the smallest dimension will in
theory work at any dimension.
Anyway, we have been saying that since day one -- DKIM POLICY highest
benefit is the direct 1st party signature polices and that satisfies
MOST domains.
But we still have the indirect problem because both ADSP and DMARC
lacks the ADID != SDID protocol semantics. ADSP punted on it. DMARC
tries to punt on it and we should not be surprise we are finding they
can't.
If they want to punt on it, then they MUST honor the restrictive
policies at the MLM receiver, at the entry point. That is all the
point was.
--
HLS
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
