- Original Message -
From: Michael Thomas [EMAIL PROTECTED]
To: Hector Santos [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; ietf-dkim@mipassoc.org
Sent: Monday, August 07, 2006 1:53 AM
Subject: Re: [ietf-dkim] How to reconcile passive vs active?
Hector Santos wrote:
Even then, the main
On Sun, 6 Aug 2006, Michael Thomas wrote:
Hector Santos wrote:
Even then, the main issue are the potential damages that are being
ignored.
My wife said it best when asked why even the BIG companies like WALMART,
YAHOO, CISCO, AOL.COM, BIGBANK should also support strong policies:
I
On Sun, Aug 06, 2006 at 10:53:21PM -0700, Michael Thomas allegedly wrote:
Hector Santos wrote:
Even then, the main issue are the potential damages that are being
ignored.
My wife said it best when asked why even the BIG companies like WALMART,
YAHOO, CISCO, AOL.COM, BIGBANK should
Mark Delany wrote:
All indications on this list are that a good number of us think yes,
so the strong policy position needs comprehensive coverage in your
requirements I-D.
Chair-ish quibble: I think the positions exposed on the list must of
course be covered in reqs-00, but I also think
- Original Message -
From: Stephen Farrell [EMAIL PROTECTED]
Chair-ish quibble: I think the positions exposed on the list
must of course be covered in reqs-00, but I also think the
more words that are used to do that, the more disagreement we'll
get. Put another way, I hope no-one
Hector Santos:
[ Charset UTF-8 unsupported, converting... ]
- Original Message -
From: Mark Delany [EMAIL PROTECTED]
It obvious that there are two relatively strong viewpoints: one the
passive that Dave describes and one the active that, amongst others, I
describe.
...
On 8/5/06, Hector Santos [EMAIL PROTECTED] wrote:
- Original Message -
From: John L [EMAIL PROTECTED]
To: Michael Thomas [EMAIL PROTECTED]
That's a pretty reasonable question, frankly. The set of domains that
would actually benefit from SSP from the consensus I've seen seems like
I believe that without policy records (we can discuss the particulars
later), the rest is useless.
Regards,
Damon Sauer
On 8/5/06, william(at)elan.net [EMAIL PROTECTED] wrote:
On Sat, 5 Aug 2006, John L wrote:
In no way does accreditation=DKIM
But policy records are in a way. Lets look at
+1
I don't agree with everything in DSAP and would take you to task on one or two.
However, I believe that it is doable in our lifetimes and if we worked
really hard, could be worked out in this working session. Without it,
SSP's a big piece of duct tape.
Regards,
Damon Sauer
On 8/6/06, Hector
I have noticed a number of rhetorical moves here that are deprecated in IETF
circles
1) Recourse to the IESG
Unless you are on the IESG you should not claim to speak for it. It is
ridiculous to see people who have never been on the IESG, have no similar
experience and have not even
Stephen Farrell wrote:
Mark Delany wrote:
All indications on this list are that a good number of us think yes,
so the strong policy position needs comprehensive coverage in your
requirements I-D.
Chair-ish quibble: I think the positions exposed on the list must of
course be covered in
[mailto:[EMAIL PROTECTED] On Behalf Of Michael Thomas
Douglas Otis wrote:
An another policy that might be considered would be one for
the DKIM
client
I'm sorry, I have no idea what a dkim client is. Can you in as few of
words as
possible tell me what that is?
In a
The DKIM authentication convention could be noted at the EHLO by
having the host-name for the client utilize a _dkim. prefix. This
prefix signals the mode of authentication made possible by the DKIM
convention claiming this prefix. This could fall into the same realm
as the key, and From policy
[mailto:[EMAIL PROTECTED] On Behalf Of John L
It's true, I don't, and I've been trying to figure out why
not. It finally came to me: senders are not the right people
to judge their own importance.
True but senders can state whether:
1) They have been accredited as a financial
[mailto:[EMAIL PROTECTED] On Behalf Of Michael Thomas
Even then, the main issue are the potential damages that
are being ignored.
My wife said it best when asked why even the BIG companies like
WALMART, YAHOO, CISCO, AOL.COM, BIGBANK should also
support strong policies:
I
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Crocker
2. I think that the passive/active difference involves a
superset/subset relationship. That is, I think that the
active begins
with the statements made in the passive mode, about the
sender/signer,
but extends them to tell the
- Original Message -
From: Dave Crocker [EMAIL PROTECTED]
That's helpful, but probably not enough.
We still need to understand why such specification is essential to the
specification and why we believe it will work.
Dave, in my opinion, every aspect has been discussed, debated,
1) Signature Validates:
2) Signature fails to validate because the originator screwed up
3) Signature fails to validate because the sender screwed up
4) Signature fails to validate because of an intermediary acting for the
recipient (mailing list, forwarder, etc.).
The first case is success,
On Monday 07 August 2006 03:10, Hector Santos wrote:
- Original Message -
From: Mark Delany [EMAIL PROTECTED]
It obvious that there are two relatively strong viewpoints: one the
passive that Dave describes and one the active that, amongst others, I
describe.
...
Do we try
From: Damon [mailto:[EMAIL PROTECTED]
Speaking as a real live, currently employed, sysadmin
(numbers bigger than all the scientists in the entire world
put together --- just kidding with you Phillip)... Yikes!
Do I need a separate email for when I am living out of a suitcase for
6
I don't think it's really sunk in as to how small the set of senders
who will find this useful is, or how disruptive it will be if you
accidentally set it when it doesn't apply to you.
From my perspective, the number needn't be small at all. Small
organizations with their own mail
On 8/7/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Damon
Can we figure something else out that doesn't require me (or my 200k+)
users to have to remember two separate addresses, the cases to use
each, and remember what the second one is the first time they have to
use it in 5 years?
as a
On Aug 7, 2006, at 10:31 AM, Arvel Hathcock wrote:
I don't think it's really sunk in as to how small the set of senders
who will find this useful is, or how disruptive it will be if you
accidentally set it when it doesn't apply to you.
From my perspective, the number needn't be small at
Do I need a separate email for when I am living out of a suitcase for
6 months at Holiday Inn too?
Sorry but, honestly, is this still a big problem in today's world? We
solved this long again didn't we? Who is using the hotel's email system
who can not also get to their corporate email
On 8/7/06, Hallam-Baker, Phillip [EMAIL PROTECTED] wrote:
For the companies spending seven to eight figure sums as a result of phishing
the rule 'no mailing list subscriptions from a corporate account' is probably
both viable and desirable.
I am not saying that we should only design the spec
On 8/7/06, Arvel Hathcock [EMAIL PROTECTED] wrote:
Do I need a separate email for when I am living out of a suitcase for
6 months at Holiday Inn too?
Sorry but, honestly, is this still a big problem in today's world? We
solved this long again didn't we? Who is using the hotel's email
On Aug 7, 2006, at 9:39 AM, Hallam-Baker, Phillip wrote:
Cisco is not a typical email user, it is not currently a target of
the type of attack that would make one want to publish strong policy.
Mike is correct to suggest that Cisco represent a typical domain
sending and receiving email.
On Aug 7, 2006, at 11:10 AM, Dave Crocker wrote:
Steve Atkins wrote:
From my perspective, the number needn't be small at all. Small
organizations with their own mail processing infrastructure can with
...
Even when it decreases overall deliverability? That is to say, causes
legitimate
On Monday 07 August 2006 14:17, Dave Crocker wrote:
Do I need a separate email for when I am living out of a suitcase for
6 months at Holiday Inn too?
Sorry but, honestly, is this still a big problem in today's world? We
solved this long again didn't we? Who is using the hotel's email
Steve Atkins wrote:
A lot of the controversy about SSP is based on
false positives - mail that was signed when sent but is not
signed when received.
I know that various people have been looking at the cases where
that can happen, but I don't recall seeing any quantitative
results
Steve Atkins wrote:
A lot of the controversy about SSP is based on
false positives - mail that was signed when sent but is not
signed when received.
I know that various people have been looking at the cases where
that can happen, but I don't recall seeing any quantitative
results presented. If
- Original Message -
From: Steve Atkins [EMAIL PROTECTED]
To: DKIM List ietf-dkim@mipassoc.org
Even when it decreases overall deliverability? That is to say, causes
legitimate email to be treated as forgeries and, likely, discarded.
The fraudulent mail covered are for 0% FALSE
Here is the scenario:
My CEO calls me and says, I sent an email to the SEC and they never got it!
- I tell him to hang on whilst I check the logs (and I finish my bagel)
... We are showing a successful delivery. I will get hold of the
postmaster at the SEC an figure it out.
So I spend half a day
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Crocker
Steve Atkins wrote:
A lot of the controversy about SSP is based on false
positives - mail
that was signed when sent but is not signed when received.
I know that various people have been looking at the cases
where that
can
On Aug 7, 2006, at 12:27 PM, Hector Santos wrote:
From: Steve Atkins [EMAIL PROTECTED]
Even when it decreases overall deliverability? That is to say,
causes legitimate email to be treated as forgeries and, likely,
discarded.
The fraudulent mail covered are for 0% FALSE POSTIVES.
[mailto:[EMAIL PROTECTED] On Behalf Of Damon
Here is the scenario:
My CEO calls me and says, I sent an email to the SEC and
they never got it!
- I tell him to hang on whilst I check the logs (and I finish
my bagel) ... We are showing a successful delivery. I will
get hold of the
On 8/7/06, Hallam-Baker, Phillip [EMAIL PROTECTED] wrote:
[mailto:[EMAIL PROTECTED] On Behalf Of Damon
Here is the scenario:
My CEO calls me and says, I sent an email to the SEC and
they never got it!
- I tell him to hang on whilst I check the logs (and I finish
my bagel) ... We are
- Original Message -
From: Hallam-Baker, Phillip [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; Steve Atkins [EMAIL PROTECTED]
Cc: DKIM List ietf-dkim@mipassoc.org
Sent: Monday, August 07, 2006 3:57 PM
Subject: RE: [ietf-dkim] SSP False positives/negatives
We have a reactive system here.
- Original Message -
From: Scott Kitterman [EMAIL PROTECTED]
If I'm standing at a kiosk, how do I have any control over how
a message sent through that kiosk gets signed? I don't think I do.
I see several things:
If you going to use an email address via this kiosk, you should make
39 matches
Mail list logo