On Tue, May 5, 2015 at 9:50 AM, Scott Kitterman <skl...@kitterman.com> wrote:
> >But the main point that everybody is missing is that we *do not* need > >to deal with the "registration problem" in this WG because the > >information to register a substantial fraction of mailing lists is > >distributed in the related mailflows already, and the mailbox > >providers know where to find the users for confirmation of their > >intent. There's no need for new protocols. > Doesn't this presuppose that only good actors use that information channel properly? > >I would prefer to focus on getting a signature delegation protocol > >specified and hopefully put into practice, discussing mailing list > >verification practices when potential users bring them up. > > No. I believe that entirely assumes away the hard part of the work. The > hard part isn't figuring out candidate data. That can trivially be done as > you suggest. The hard part is figuring out the subset of the data that's > worthy of special treatment. > > Approximately as soon as list-id enables DMARC bypass, the bad guys will > start adding it to everything. List-id is useless in this context. > I think that's right. I'm guessing that the Gmails of the world have heuristics that go beyond List-Id for identifying what incoming flows are legitimate lists and which are not. On the other hand, for small operators, maybe List-Id is enough of a good starting point to suggest it, without baking it into a protocol document as something normative. -MSK
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
