On 9/27/10 3:13 PM, Murray S. Kucherawy wrote: >> On Monday, September 27, 2010 3:02 PM, Douglas Otis wrote: >> >> You have placed TPA information in a domain not below >> "_domainkey.<signing-domain>". This increases the response size by 11 >> bytes with a trade-off of making delegations to signing mail providers >> more difficult. I am open to either approach, however only DKIM makes >> this scheme practical. > How does it make something more difficult? Two zones might need delegation instead of just one. >> At the same time, unless authorizations can defend against >> likely abuse, that too would render efforts unusable. The additional >> information also benefits the recipient when it simplifies their >> process and increases the number of messages being properly marked for >> rejection. > I don't really want to conduct an experiment that includes myriad optional > policy specifications without some operational data to suggest they stand a > chance of adoption. Simpler is better. Agreed, but not having a defense against trivial exploitation of an authorization is not better. When a defensive requirement proves unused, it can be removed without impact. Since this information sets authorization requirements, adding the information at a later date would not be compatible with existing implementations.
Perhaps we can work on the bare essentials independent of the notation used. Types of authentication that might be used for existing third-party services- 1) DKIM 2) TLS 3) SPF 4) EHLO/ADR Additional header field requirements ensure message sorting or presentation. The header field requirement is to offer simple tactics against most phishing exploits: a) Sender b) List-ID One could describe the current ADSP scheme as being "simple". Simple is not better when only ~200 out of 20,000 phished domains use the mechanism intended to mitigate the negative impact caused when users wonder about spoofed messages. The result of wondering is they might decide to curtail future business with the domain, which likely has a greater impact than losses due to fraud. The MLM recommendation of using different sub-domains ignores the fact that most recipients don't understand name changes on the right or the left of a recognizable name. Name recognition is improved when a single name is always used. The most visible name to recipients is the domain found in the From header, whether used as a basis for sorting, or when displayed in addition to that of the friendly name. It is unfortunate, the From header field is not always emitted by servers controlled by the Author Domain. The TPA-Label scheme seeks a means to retain a reasonable level of authentication compliance without mandating an often unobtainable requirement that messages only be emitted by Author Domains. In many cases, transparent authorization techniques are simply not practical, nor will any neutral status offer the proactive protections needed to mitigate phishing. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
