On Thu 17/Aug/2023 04:45:48 +0200 Bron Gondwana wrote:
On Tue, Aug 15, 2023, at 21:36, Alessandro Vesely wrote:
On Tue 15/Aug/2023 08:10:23 +0200 Bron Gondwana wrote:
We've love to not sign spam at all, but short of never allowing users to send email, it's
not actually possible. We're not trying to "accomodate sites that send spam",
we're trying to minimise the blast damage of a message that a bad actor manages to get
signed - because that reduces that value of getting such a message stamped with a
signature, and that reduces the amount of spam.
Still, knowing that he's a bad actor, you could skip signing. Are there so
many new spammers every day? Or, rather, there is a bunch of professional
spammers who know how to hide?
The whole point is - you don't know that a stolen account is a bad actor before it starts sending
messages, and the ability to tell that a single message is spam, when it's being sent to a single
recipient - again, if you have a reliable definition I'd love to see it. Even something like `please
click <a href="https://site.com/";>here</a> to update your bank details`, real
organisations send real email like that to their customers. You can't tell it's spam without context.
Right, say you have to endure a replay attack only when an account is stolen.
Would that diminish total replay attacks? I mean, how many replay attacks are
instead committed using loosely verified accounts?
Assuming one can verify the real ID of each account, that is. Whether that is
feasible, expensive, convenient or ground-breaking is a different question.
The whole concept of domain authentication is questionable if domains have no
idea who their users are.
At scale, there's always going to be a small percentage of bad users / hacked
users on any system. Hence trying to make domain authentication not so
valuable that getting it on a message is super powerful.
What is the value of domain authentication? And what should it be?
To answer, consider you bought goods or services for a large amount. The
invoice arrives by email specifying the exact amount and the bank account code.
The mail is DKIM-signed. Up to what amount would you trust and pay without
calling?
Best
Ale
--
_______________________________________________
Ietf-dkim mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf-dkim
