On 7/29/10 6:46 PM, Alessandro Vesely wrote: > On 29/Jul/10 14:46, Douglas Otis wrote: > >> The TPA-Label approach does _not_ depend upon changes made by > >> the mailing-list! The TPA-Label limits change to code already > >> handling ADSP records, and of course to domains making ADSP > >> assertions. There is only a small number of domains making > >> actionable ADSP assertions. The TPA-Label would allow Author > >> Domains a means to assert explicit exceptions when processing > >> their restrictive ADSP assertions. > > I agree that TPA-Label would make it more practical to use policies > other than "unknown". However, I have the feeling that it is more > useful for small domains that want to use external services, than for > mailing lists. For a large domain whose users are free to subscribe > to any list, I see two major concerns: > > 1. There is no standard way for the domain to learn when any of its > users subscribe to a new list. In practice, users would have to > check whether the relevant TPA already exists, and possibly apply for > it internally, before subscribing.
Disagree. Likely most of the domains being heavily phished are already required to careful monitor outbound traffic. If the industry were to compile a list of informal third-party service domains, along with their recommended TPA-Label assertions, any outbound traffic could quickly confirm whether authorization had been granted, and use the compiled list to automatically generate the authorization, or simply point their "_tpa" list to such an industry list already being published, or immediately reject the message and inform the user they need to find a different alternative. Any recommendation that suggests a targeted and recognized domain should start using other domains or subdomains to conduct public exchanges simply creates new avenues for phishing and will cause greater recipient confusion. In other words, a very bad practice. > 2. Granting a TPA implies a good degree of trust. I don't think > /any/ mailing list would obtain a TPA from, say, PayPal; the sites > who would could then be trusted "by proxy" by anyone who takes > PayPal's assessments for good... Most mailing lists would be safe for a domain in their position to authorize. Most who subscribe already sort these messages. The TPA-Label can even ensure whether a message came from the authorized list. Any mailing list that confirms subscriptions, and adds typical annotations should be safe to authorize. Of course, things like A-R headers would be better. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html