On May 26, 2010, at 12:45 PM, Barry Leiba wrote: > <<Chair Interrupt>> > > I want to shut off one aspect of this discussion, because it's wasting > time, making us go around in circles, and causing a lot of > misunderstanding. > > The aspect that I'm shutting off is any variation on the idea that > because phishing succeeds despite any blocks on a particular domain > name (using look-alikes and other funny domain-name tricks), > protecting a domain name (for whatever value of "protecting" we want > to talk about) does not affect the ability to phish, and therefore is > not useful. > > This working group has consensus that it IS useful to "protect" a > domain name. That consensus is well established, and has been much > discussed. Further discussion of that question is out of scope. > Let's please stop wasting time and effort on it. > > We all agree that making it harder for someone to send mail with > "[email protected]" in the "from" line does not stop phishing > attacks that fool recipients into thinking that the mail comes from > PayPal. Nevertheless, we have rough consensus that it is useful to > make it harder for senders who are not PayPal to send mail with > "[email protected]" in the "from" line.
There's apparently a lot of disagreement, even within the active participants of this mailing list, as to what ADSP does do. As one specific example I do not believe there is consensus on what threat ADSP is intended to thwart, and without that I don't believe that it's possible to discuss how to deploy it or how to modify it. As an example - there is a suggestion that ADSP be weakened such that it allows for unsigned mail sent through a mailing list. It's not possible to judge whether that will terminally weaken the protections offered by ADSP without knowing what the threat it's intended to defend against is. If the sole benefit to ADSP is to "protect the domain name as used in the non-displayed part of the From: field" then weakening it to allow unsigned mail through mailing lists in the way suggested would break ADSP completely. OTOH, if the real goal is to help with phishing attacks against domains that are used solely to send B2C junk mail then there's a fairly strong argument that mailing lists aren't a likely conduit for phishing attacks against B2C bulk mailer targets. If the chairs assert there is a consensus on what that threat is, I'd appreciate it if they can state that with a couple of concrete examples. If there is not consensus on that, then I don't see how the conversation about fixing the obviously broken bits of ADSP or working on good deployment practices can usefully continue. Cheers, Steve > > ----- > > I'll also add that the chairs have the job of declaring consensus, of > declaring an issue resolved, and of declaring discussion closed. I > ask that people avoid being dismissive in their responses, but I also > remind others that a dismissive response from a participant does not > enjoin anyone from continuing discussion. > > Carry on. > > -- Barry, as chair. > _______________________________________________ > NOTE WELL: This list operates according to > http://mipassoc.org/dkim/ietf-list-rules.html _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
