On Oct 13, 2009, at 4:30 AM, Ian Eiloart wrote: > > > --On 13 October 2009 00:01:05 -0700 Dave CROCKER <d...@dcrocker.net> > wrote: > >> >> >> Steve Atkins wrote: >>> The "brand" cannot be protected solely via ADSP, at all, not in any >>> manner. >>> >>> By that I mean that it's possible to protect the byte sequence >>> paypal.com to some limited degree, but that that is operationally >>> meaningless without any way to distinguish between "paypal.com" and >>> "paypa1.com", or between "citibank.com" and "citibankonline.com", >> >> >> If anything, Steve is being generous, because it's actually muss >> worse >> than that... > > I understand the issue here, but part of the point of DKIM/ADSP is > to allow > automated systems to assign reputation to an email domain or email > address > - a byte string. Those automated systems will be able to distinguish > between paypal.com (likely with high positive reputation) from paypa1.com > (likely to acquire a very high negative reputation quite quickly. > > So, sure, if the paypa1.com email is delivered, the recipient isn't > protected. Except, perhaps if the MUA fails to mark the email as > from a > trusted source - a bit like the way browsers are beginning to > identify web > sites with Extended Validation certificates. > > Furthermore, such systems could be designed to look for close > mismatches, > using Hamming distance functions, for example. My bet is that paypal > don't > own any domains with a Hamming distance of one from paypal.com,
(Just as an aside, you'd lose that bet. Ebay buy an awful lot of domains, with no intention of ever using them. One of those is... paypa1.com. :) ) > though they > may well own domains with a Hamming distance of three - like > paypal.org All of this is something that could be done with DKIM assured identities. None of this requires ADSP. If anything, your observation is an argument against needing ADSP as ADSP is *solely* about the sender of email making assertions about themselves, while you're talking about receivers of email making decisions based on previous behaviour. > It might be nice if paypal could publish in the DNS a set of related > domains, that it is willing to share the reputation of paypay.com > with. > Positive reputation could flow from paypal.com to the shared > domains, and > negative reputation in the reverse direction. Paypal is a good example for when that's not needed. They send all their legitimate email as paypal.com. Even if they do own paypa1.com, they're not going to send you mail claiming to be paypa1.com. (And for those cases where it would be useful the DKIM answer is "just sign all your mail with the same d= tag, and it'll share reputation".) Cheers, Steve _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html