On 7/18/2017 7:20 AM, Murray S. Kucherawy wrote:
On Tue, Jul 18, 2017 at 1:34 PM, Kurt Andersen <ku...@drkurt.com
<mailto:ku...@drkurt.com>> wrote:
Let's take ietf.org <http://ietf.org> as an example. There are
@ietf.org <http://ietf.org> individuals and then there are all the
mailing lists. If IETF wished to assert to receivers that all their
mail was either mediated or came from designated internal servers,
how would they do that?
Why should receivers trust such an assertion by a domain they have not
already decided to trust? Couldn't a bad actor make such a claim in an
attempt to get preferential treatment?
Exactly.
The concept of whitelisting seems to parallel use of that construct 15
or so years ago. It has some utility in simple cases, but does not
scale well and does not deal well with the dynamics of today's world of
email system compromise...
ARC is an underlying authentication mechanism that calls for a new
assessment mechanism, since the role of the authenticated entity is
different than the entities currently being assessed by filtering
engines -- intermediary rather than originator.
It is possible that simply re-using current assessment mechanisms will
suffice -- I can easily imagine that working well -- but it seems
equally possible that different mechanisms will be needed. This open
question about how ARC authentication will get used is one of the
reasons I think the industry needs to deploy ARC experimentally for
awhile, to develop some real-world operational experience with the
dynamics of using it, beyond the early experience already being gained.
That's why I've suggested that being able to write a stable "Using ARC"
BCP would be a pragmatic milestone for deciding that ARC is appropriate
for formal standardization.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
