On Mon, 20 Sep 2010, Douglas Otis wrote: > It seems this is making two assumptions that are likely incorrect: > > 1) receiving domains know which mailing-lists their users have subscribed.
Most don't. But such sites are also incapable of deploying TPA as a sender. So that's just as good an argument for the impracticality of TPA, as for the impracticality of except-mlist. > 2) receiving domains reliably recognize mailing-list messages. This also hurts TPA just as much. The only defense against forgery of lists that can only be recognized weakly (by accepting unsigned messages from any IP that display the correct List-Id:), is not to subscribe to such lists. "except-mlist" comes out slightly ahead here. Since the subscription whitelist is consumed where it is compiled, and thus doesn't need to be converted into a standard "language" such as TPA, it can include ad-hoc measures such as "fake SPF records" to limit forgery of troublesome lists. > > And remember, many big sites will never compile the information needed to > > display a complete TPA policy. Without accomodation (ie: except-mlist), > > "dkim=unknown" is all they can safely publish. > Disagree. While there are many domains offering third-party email > services, this still represents a finite dataset. In contrast, the > domains used by bad actors represent an infinite dataset. You seem to be hinting a global whitelist of mailing lists would be feasable -- so the domains in question could just salute one and be done with it. That doesn't sound practical to me. Especially since users at such ISPs will likely subscribe to lists that are too insecure to be put on the GW. Insecure mailing lists in private whitelist are at least obscure, but a global whitelist cannot tolerate a single one. Basically, the problem is that users at such ISPs do not want protection from forgeries *of themselves directed at others* badly enough to make the sacrifices needed to stop that cold. Such as dropping a non-DKIM, non-SPF mailinglist where all their best friends hang out. But, I want protection from forgeries *of other people directed at me*, and the use of "dkim=unknown" or no-ADSP by those other people hampers my ability to achieve that. I don't need them to go whole-hog TPA, I just need help squelching the supposedly-first-person forgeries, and I can take care of the supposedly-via-list forgeries myself. ---- Michael Deutschmann <[email protected]> _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
