"Steve Atkins" <[email protected]> wrote:
> >On Sep 10, 2010, at 3:46 PM, Scott Kitterman wrote: > >> On Friday, September 10, 2010 06:37:46 pm Steve Atkins wrote: >>> On Sep 10, 2010, at 2:31 PM, Scott Kitterman wrote: >>>> >>> >>> I don't think it inoculates them against ADSP problems - rather >>> it opens them up to violations of the security model that ADSP >>> would like to impose. >>> >> This is only true if John is wrong and mailing lists are a vector that we >> need >> to worry about. > > >Doing what you suggest would avoid the problems of legitimate >email being discarded due to ADSP/mailing list interactions at >the cost of allowing phishers to send email "from" a sender >violating the ADSP security model simply by pretending to be >a mailing list. > >> I happen to generally agree with him on this. > >Me too. But you're breaking the ADSP security model for all >email with your suggestion. Note that neither of the examples >I gave involved me sending a phishing email via a mailing >list. > I don't think it breaks it. It avoids it and I think that's fine. Whatever limited value ADSP provides, it is only relevant to exact domain phishing. What we are describing is a putative weakness that's already beyond it's design scope. Scott K _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
