On May 25, 2010, at 7:03 PM, Steve Atkins wrote: > > On May 25, 2010, at 3:38 PM, Brett McDowell wrote: > >> On May 10, 2010, at 3:09 PM, Steve Atkins wrote: >> >>> On May 10, 2010, at 11:59 AM, John R. Levine wrote: >>> >>>>> Apart from ADSP rules, a broken signature must be treated as if there was >>>>> no >>>>> signature at all. That in itself is not the problem. The problem with >>>>> broken >>>>> signatures is that people will not buy into a technology (DKIM) if it >>>>> will >>>>> not cover a significant part of their e-mail. >>>> >>>> Of course. That's why MLMs should sign their mail, or equvalently the MSA >>>> they use should sign it. Problem solved, right? >>>> >>>> Free bonus: MLMs can sign the list mail even if the contributor didn't >>>> sign it. >>> >>> +1. It's pretty much a non-issue (unless you believe that DKIM is >>> magic fairy dust that will prevent all "fraudulent use of your brand"). >> >> I believe we can disagree without being disagreeable. I'm sure there is no >> one on this list (or in the world) who thinks DKIM is magic fairy dust that >> will prevent all fraudulent use of a brand. > > If ADSP is not there to prevent "fraudulent use of your brand", what > is it for?
To protect users from a type of crime (phishing) perpetrated in a particular channel (email). It's not about protecting our brand. It's about protecting our customers. > > While I don't think ADSP proponents actually believe it is magical brand > protection fairy dust, that is the operational model we're using when we're > discussing the usage of ADSP. > > ADSP does not, and can not, provide significant operational value > in dealing with phishing, Ummm... PayPal+Google+Yahoo have collectively blocked well over 100 million phishing attacks using DKIM+ADSP=discardable (if you include the out-of-band equivalent to ADSP=discardable that we had to put in place while we waited for a standard, that we now fully support and deploy). > which is the only concrete example > anyone has brought forward. So we're left with "brand protection", > which is still plausible because it's so vague. > > (If it were described as "Brand protection as applied to the section of > the byte sequence in the From: field that isn't the part usually displayed > to the end user" that would be less vague, but more obviously useless). > > > >> I would like to think we are all on this list making a good faith effort to >> explore and debate the right way to deal with the status quo, including the >> option of sustaining it. I personally don't agree with the position that >> the status quo should be sustained, but I respect both that position and >> those who articulate it. > > > Yes, this summary may be blunt and possibly even disagreeable, but > there comes a point when developing something that's going to affect > many, many people that you have to mention the elephant in the room - > which is that while lots of people involved have invested quite a bit of > effort > and professional credibility in putting it together there's still no > definition > of what problem it's supposed to solve, and the end result appears to > be pretty much useless for any concrete phishing or brand protection > scenario. Problem = phishing Utility = just one sender + two mailbox providers have blocked over 100 million phishing attacks, many of those blocks also resulted in site take-downs. The value of what we already have from your efforts in IETF is HUGE for consumer protection. It could be even more useful with the kind of tweaks I've suggested for MLM's... and probably a few more flags/states for ADSP. -- Brett > _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
