On Mon, Nov 23, 2020 at 12:02 PM Dave Crocker <dcroc...@gmail.com> wrote:
> On 11/23/2020 7:38 AM, Todd Herr wrote: > > On Mon, Nov 23, 2020 at 9:50 AM Joseph Brennan <bren...@columbia.edu> > wrote: > On Sat, Nov 21, 2020 at 7:14 PM John Levine <jo...@taugh.com> wrote: > >> >> >>> This also means that ARC isn't useful if you don't have a reputation >>>> system to tell you where the lists and other forwarders that might add >>>> legit ARC signatures are. >>>> >>> >> And if you know which hosts are legit mailing lists or forwarders, you >> already know what ARC would tell you. >> > > I believe, though, that the intent of ARC is that it be scalable in ways > that manual enumeration of known legit mailing lists and forwarders is not. > > > "if you know which hosts are legit" buries an assumption that is > problematic, namely that you know who handled the message. The fack that a > message purports to be handled by a mailing list you trust does not mean it > actually was. > > That's the issue that ARC resolves. > > ARC (and DKIM) produce noise-free uses of identifiers. If the > authentication validates, the receiver knows is really was handled by who > is saying it was handled by. Without these, you don't. > > > Yes, but knowing it really was handled by who is saying it was handled by isn't the entirety of the problem. I can know from ARC headers that X handled the message and what email authentication checks X purports to have done when handling the message and what results X claims to have obtained. What I have to decide in that case is "do I trust X to record correct and valid results?" because the answer to that question will impact my disposition of the message when it reaches me. It's obviously not the place of the ARC protocol spec to proscribe how trust in ARC results can be determined, but without some system in place for assigning trust levels to ARC Sealers, ARC has limited utility for sites that serve as the terminal destination for a message. -- *Todd Herr* | Sr. Technical Program Manager *e:* todd.h...@valimail.com *p:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc