-Original Message-
From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-
boun...@mipassoc.org] On Behalf Of Alessandro Vesely
Sent: Thursday, April 29, 2010 10:55 PM
To: ietf-dkim@mipassoc.org
Subject: Re: [ietf-dkim] Broken signatures, was Why mailing lists
should strip them
On 4/29/10 6:06 PM, John Levine wrote:
I just don't see how you can simultaneously say throw away unsigned
mail and don't throw away unsigned mail if a list says it used to
be signed unless you have some way to identify trustworthy lists.
Agreed. People might trust authentications of a
--On 29 April 2010 10:58:44 -0600 McDowell, Brett bmcdow...@paypal.com
wrote:
On Apr 28, 2010, at 2:11 PM, John R. Levine wrote:
Your proposal that MLM remove Signatures would cause restrictive
policies to fail.
Which is why I oppose this proposal.
Indeed. I'm assuming that any list
--On 29 April 2010 11:39:52 -0700 Powers, Jot jpow...@paypal.com wrote:
...
What I'd advise is something like put all of your transactional mail
in a subdomain and set it to discardable, but don't do that to all
your corpro users. There are other ways to go about this, but I'd say
that
--On 30 April 2010 01:06:15 + John Levine jo...@iecc.com wrote:
I just don't see how you can simultaneously say throw away unsigned
mail and don't throw away unsigned mail if a list says it used to be
signed unless you have some way to identify trustworthy lists. But
once you know that
--On 28 April 2010 11:02:53 -0400 MH Michael Hammer (5304)
mham...@ag.com wrote:
A few thoughts to fuel the discussion:
1) It may be that the BCP document would appropriately have a section
for end users of mail lists. One possible recommendation is that for
domains which have strong
--On 28 April 2010 08:23:52 -0700 Dave CROCKER d...@dcrocker.net wrote:
On 4/28/2010 8:02 AM, MH Michael Hammer (5304) wrote:
A few thoughts to fuel the discussion:
1) It may be that the BCP document would appropriately have a section
for end users of mail lists. One possible
On Thu, 29 Apr 2010 21:12:02 +0100, SM s...@resistor.net wrote:
At 11:12 29-04-10, Michael Thomas wrote:
With respect to DKIM, anybody who filters based on broken signatures
without
any (or little) other input pretty much deserves the false positive
rate they're
complaining about.
This
Could you explain what you mean by forge and legitimate? You
appear to be saying that mailing lists are doing something sleazy and
illegitimate by doing what they've done for the past 40 years, which
seems implausible.
That is exactly what I'm saying.
http://en.wikipedia.org/wiki/Asbestos
On 30/Apr/10 08:50, Murray S. Kucherawy wrote:
boun...@mipassoc.org] On Behalf Of Alessandro Vesely Sent: Thursday, April
29, 2010 10:55 PM
Yet, it would seem that by, say, hashing just invariants of binary
representations of the first entity, e.g. discarding its white space and
In article 4bda70b5.4090...@tana.it you write:
On 29/Apr/10 01:12, SM wrote:
The diversity
of the email environment is such that you cannot come up with a
mellowed canonicalization to cope with every possible change.
Yet, it would seem that by, say, hashing just invariants of binary
Then the recipient has some evidence to assist in his evaluation. In fact,
the changes made by this list are easily reversible, if someone wants to
try to reverse them and check the original signature. But he cannot do
that with a signature that has been removed.
Huh? If we could write
On Fri, Apr 30, 2010 at 7:48 AM, John R. Levine jo...@iecc.com wrote:
Could you explain what you mean by forge and legitimate? You
appear to be saying that mailing lists are doing something sleazy and
illegitimate by doing what they've done for the past 40 years, which
seems implausible.
On Fri, Apr 30, 2010 at 5:38 AM, Ian Eiloart i...@sussex.ac.uk wrote:
--On 30 April 2010 01:06:15 + John Levine jo...@iecc.com wrote:
I just don't see how you can simultaneously say throw away unsigned
mail and don't throw away unsigned mail if a list says it used to be
signed unless
On 4/29/2010 2:04 PM, Jeff Macdonald wrote:
On Wed, Apr 28, 2010 at 11:23 AM, Dave CROCKERd...@dcrocker.net wrote:
I think you are raising the (much) larger question of constraining the
nature of
changes made by MLMs. Since they [sic] are actually posting an entirely new
message,
and
On 4/30/2010 3:16 AM, Ian Eiloart wrote:
2) One possible recommendation to list managers is that if a message to
the list is DKIM signed AND has an ADSP discardable policy AND the
signature cannot be maintained intact then the list should bounce the
message.
What is the particular
This isn't really a reply.
It's a comment that Steve's note was sent a week ago and I'm frankly impressed
that it has received no replies, since it contains the most salient
observations
about the current problem being discussed I've seen.
I've included all of its body in this posting, in the
On Apr 29, 2010, at 9:06 PM, John Levine wrote:
I just don't see how you can simultaneously say throw away unsigned
mail and don't throw away unsigned mail if a list says it used to be
signed unless you have some way to identify trustworthy lists.
Precisely! The key phrase being unless you
On Apr 30, 2010, at 5:30 AM, Ian Eiloart wrote:
--On 29 April 2010 10:58:44 -0600 McDowell, Brett bmcdow...@paypal.com
wrote:
On Apr 28, 2010, at 2:11 PM, John R. Levine wrote:
Your proposal that MLM remove Signatures would cause restrictive
policies to fail.
Which is why I oppose
On 04/30/2010 07:05 AM, McDowell, Brett wrote:
In that scenario, if the MLM re-signing solution has been deployed by Y, and
DKIM+ADSP has been deployed by X Z, and Z has chosen to take action on X's
ADSP policies... the only thing Z is trusting Y to do is validate incoming
DKIM
--On 30 April 2010 06:00:50 -0700 Dave CROCKER d...@dcrocker.net wrote:
On 4/30/2010 3:16 AM, Ian Eiloart wrote:
2) One possible recommendation to list managers is that if a message
to
the list is DKIM signed AND has an ADSP discardable policy AND the
signature cannot be maintained
On Apr 30, 2010, at 10:23 AM, Michael Thomas wrote:
On 04/30/2010 07:05 AM, McDowell, Brett wrote:
In that scenario, if the MLM re-signing solution has been deployed by Y, and
DKIM+ADSP has been deployed by X Z, and Z has chosen to take action on X's
ADSP policies... the only thing Z is
--On 30 April 2010 08:02:44 -0400 John R. Levine jo...@iecc.com wrote:
I just don't see a plausible scenario where you you know you trust the
list but still want to accept or reject mail based on assertions the
list itself makes.
How about you trust the list, and it says the inbound
--On 30 April 2010 12:37:22 + John Levine jo...@iecc.com wrote:
Then the recipient has some evidence to assist in his evaluation. In
fact, the changes made by this list are easily reversible, if someone
wants to try to reverse them and check the original signature. But he
cannot do
On 04/30/2010 07:38 AM, McDowell, Brett wrote:
On Apr 30, 2010, at 10:23 AM, Michael Thomas wrote:
On 04/30/2010 07:05 AM, McDowell, Brett wrote:
In that scenario, if the MLM re-signing solution has been deployed by Y,
and DKIM+ADSP has been deployed by X Z, and Z has chosen to take
Perhaps they are, but there could be some value in trying to define a set of
reversible list modifications which would permit DKIM signatures to still be
useful. That's not to mandate those modifications, or to forbid others, but
as guidance. It could be a way forward.
Sounds like another
On Fri, Apr 30, 2010 at 8:56 AM, Dave CROCKER d...@dcrocker.net wrote:
I wrote:
and forging the From address
It's not forged:
to imitate fraudulently
http://dictionary.reference.com/browse/forge
The use of that word, for this situation, is simply incorrect.
And the retention of the
-Original Message-
From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-
boun...@mipassoc.org] On Behalf Of Jeff Macdonald
Sent: Friday, April 30, 2010 8:32 AM
To: dcroc...@bbiw.net
Cc: ietf-dkim@mipassoc.org
Subject: Re: [ietf-dkim] Wrong Discussion - was Why mailing lists
On 04/30/2010 08:32 AM, Jeff Macdonald wrote:
Perhaps poorly chosen words. But I think most understood the intent.
I'm willing to go from a world where any system can use my From to one
where only the systems I say can. And that means changes.
Really? The sender has to opt in? That sounds like
Is there anything out there that's not in the mistake or bogus category that
would foil paypal's discardable adsp setting? Preferably that has the
characteristic
that it's out of their control.
Mike
___
NOTE WELL: This list operates according to
On 4/30/2010 8:32 AM, Jeff Macdonald wrote:
On Fri, Apr 30, 2010 at 8:56 AM, Dave CROCKERd...@dcrocker.net wrote:
I wrote:
and forging the From address
It's not forged:
...
The use of that word, for this situation, is simply incorrect.
...
Perhaps poorly chosen words. But I think most
On Fri, Apr 30, 2010 at 12:15 PM, Dave CROCKER d...@dcrocker.net wrote:
On 4/30/2010 8:32 AM, Jeff Macdonald wrote:
On Fri, Apr 30, 2010 at 8:56 AM, Dave CROCKERd...@dcrocker.net wrote:
I wrote:
and forging the From address
It's not forged:
...
The use of that word, for this
On Fri, Apr 30, 2010 at 11:57 AM, Michael Thomas m...@mtcc.com wrote:
Is there anything out there that's not in the mistake or bogus category that
would foil paypal's discardable adsp setting? Preferably that has the
characteristic
that it's out of their control.
ESPs have a
-Original Message-
From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-
boun...@mipassoc.org] On Behalf Of Dave CROCKER
Sent: Friday, April 30, 2010 12:15 PM
To: Jeff Macdonald
Cc: dcroc...@bbiw.net; ietf-dkim@mipassoc.org
Subject: Re: [ietf-dkim] Wrong Discussion - was Why
On 04/30/2010 09:37 AM, Jeff Macdonald wrote:
On Fri, Apr 30, 2010 at 11:57 AM, Michael Thomasm...@mtcc.com wrote:
Is there anything out there that's not in the mistake or bogus category that
would foil paypal's discardable adsp setting? Preferably that has the
characteristic
that it's out
-Original Message-
From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-
boun...@mipassoc.org] On Behalf Of Jeff Macdonald
Sent: Friday, April 30, 2010 12:37 PM
To: IETF-DKIM
Subject: Re: [ietf-dkim] besides mailing lists...
On Fri, Apr 30, 2010 at 11:57 AM, Michael Thomas
On Fri, Apr 30, 2010 at 11:47 AM, MH Michael Hammer (5304)
mham...@ag.com wrote:
ESPs have a forward-to-a-friend feature for their clients. Its a
feature in which the ESPs creates the content and sends a message from
a friend, to a friend. It would be discarded. However, I'm willing to
say
On Fri, Apr 30, 2010 at 12:58 PM, Al Iverson aiver...@spamresource.com wrote:
On Fri, Apr 30, 2010 at 11:47 AM, MH Michael Hammer (5304)
mham...@ag.com wrote:
ESPs have a forward-to-a-friend feature for their clients. Its a
feature in which the ESPs creates the content and sends a message
On 4/30/2010 9:44 AM, MH Michael Hammer (5304) wrote:
I seem to remember this discussion in the distant past and there overall
people seemed to have less difficulty with the use of the term spoof
or spoofing instead of forge or forging. If not this term then it
would be appropriate to come
On 30/Apr/10 12:13, Ian Eiloart wrote:
--On 28 April 2010 11:02:53 -0400 MH Michael Hammer (5304)
mham...@ag.com wrote:
2) One possible recommendation to list managers is that if a message to
the list is DKIM signed AND has an ADSP discardable policy AND the
signature cannot be maintained
On 4/30/10 8:48 AM, Michael Thomas wrote:
On 04/30/2010 08:32 AM, Jeff Macdonald wrote:
Perhaps poorly chosen words. But I think most understood the intent.
I'm willing to go from a world where any system can use my From to one
where only the systems I say can. And that means changes.
I know this isn't a popular opinion. Just because something has been
done someway for 40 years doesn't make it right. Thus my link to
asbestos.
Asbestos was always toxic to humans, but for whatever reason it took a
long time to identify the problem.
Is there some long-standing toxic effect of
We need to be precise about what we mean by trustworthy. Even if I
have some way to identify trustworthy lists as you put it above, I
have to be very clear about what I'm actually trusting that list to do.
When I sign up for a list, I trust it to send me mail that I am
willing to receive. Is
Even with your discardable adsp setting, it becomes a
matter of the order of checks at the receiver's gate (eg, whitelist
first, then adsp...)
But since mailbox providers already manage reputation at scale, how much
of a burden is adding this bit to the mix? Remember this only affects
mailbox
I suppose that other sites (some news sites for example...would have to
look for one to find a concrete example) which use forward-to-a-friend
where the site uses the from address of the individual.
Try any newspaper web site that offers an email button.
R's,
John
On 4/30/10 11:24 AM, John Levine wrote:
We need to be precise about what we mean by trustworthy. Even if I
have some way to identify trustworthy lists as you put it above, I
have to be very clear about what I'm actually trusting that list to do.
When I sign up for a list, I trust it to
On Apr 30, 2010, at 2:24 PM, John Levine wrote:
We need to be precise about what we mean by trustworthy. Even if I
have some way to identify trustworthy lists as you put it above, I
have to be very clear about what I'm actually trusting that list to do.
When I sign up for a list, I
On Apr 30, 2010, at 2:31 PM, John Levine wrote:
Even with your discardable adsp setting, it becomes a
matter of the order of checks at the receiver's gate (eg, whitelist
first, then adsp...)
But since mailbox providers already manage reputation at scale, how much
of a burden is adding this
On Apr 30, 2010, at 1:38 PM, Alessandro Vesely wrote:
On 30/Apr/10 12:13, Ian Eiloart wrote:
--On 28 April 2010 11:02:53 -0400 MH Michael Hammer (5304)
mham...@ag.com wrote:
2) One possible recommendation to list managers is that if a message to
the list is DKIM signed AND has an ADSP
On Apr 30, 2010, at 12:28 PM, Jeff Macdonald wrote:
I'm willing to go from a world where any system can use my From to one
where only the systems I say can. And that means changes.
That's an example of the problem in using the term: Much discussion about
DKIM presume far more end-to-end
On Apr 28, 2010, at 5:02 AM, MH Michael Hammer (5304)
mham...@ag.com wrote:
A few thoughts to fuel the discussion:
2) One possible recommendation to list managers is that if a message
to
the list is DKIM signed AND has an ADSP discardable policy AND the
signature cannot be
I don't think that's what I'm saying. Currently lists don't do much to
authenticate senders. I don't think it's implausible that a recipient might
have stricter rules than a list manager. It might be unusual, I suppose.
I agree it's hypothetically possible, but have you ever seen an actual
We need to be precise about what we mean by trustworthy. Even if I
have some way to identify trustworthy lists as you put it above, I
have to be very clear about what I'm actually trusting that list to do.
When I sign up for a list, I trust it to send me mail that I am
willing to receive.
53 matches
Mail list logo