-1
---
Sent from my mobile phone
On Jul 10, 2011, at 3:58 AM, "Michael Deutschmann"
wrote:
> On Sun, 10 Jul 2011, Hector Santos wrote:
>> Now of course, if ADSP was a standard and whitehouse.com had an
>> exclusive signing policy, receivers would of rejected the junk
>> distributed by Dave's l
> -Original Message-
> From: John Levine [mailto:jo...@iecc.com]
> Sent: Thursday, July 07, 2011 6:22 PM
>
> >Will your "assume one more From than listed in h=" lead to failed
> >verifications on messages that actually follow the advice in the RFC to
> >list duplicate headers in their h= v
I would agree with your statement if you put the word "deployers" between DKIM
and MUST.
> -Original Message-
> Unfortunately, the norm is not to make these checks because only DKIM
> invites the possible exploit. DKIM MUST accept the role of preventing the
> exploit it invites.
__
Will your "assume one more From than listed in h=" lead to failed verifications
on messages that actually follow the advice in the RFC to list duplicate
headers in their h= values?
> -Original Message-
> From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-
> boun...@mipassoc.org] On
I believe the context for your earlier comments that I responded to was the
discussion about deprecating i= and/or adding a new st= tag. I hope my
comments were not interpreted as supporting either of those changes. That was
not my intention.
On Apr 4, 2011, at 10:47 AM, John R. Levine wrote:
On Apr 4, 2011, at 12:09 AM, John Levine wrote:
> If there is a reason why people aren't able to use a d= domain per
> stream, I wish someone would explain in simple terms that even a
> dimwit like me can understand.
>
> The only arguments I'm aware of is that hostile or incompetent DNS
> manage
On Apr 3, 2011, at 5:12 PM, Dave CROCKER wrote:
> OK. So the capability exists, but people choose not to use it. Some people
> in
> fact choose to disable this capability; note that a) ADSP is an add-on, not
> the
> DKIM core, and b) the actual uptake of ADSP on the receive side is not known
On Mar 30, 2011, at 11:49 PM, Jim Fenton wrote:
>> . Goodmail ..
>> . .
>> V V
>> Client -> Mail -> Transfer -> Service -> Receiver -> Recipient
>>
>> Goodmail interacted wi
On Mar 2, 2011, at 3:19 AM, Michael Deutschmann wrote:
> On Tue, 1 Mar 2011, MH Michael Hammer wrote:
>> The display name is problematic as Mr. Crocker has pointed out. One
>> solution to this which I have suggested in the past is to not display
>> the display name in the MUA if the email fails t
of the RFC.
Yes?
On Jan 11, 2011, at 6:30 PM, Murray S. Kucherawy wrote:
>> -Original Message-
>> From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org]
>> On Behalf Of McDowell, Brett
>> Sent: Tuesday, January 11, 2011 2:33 PM
>&g
(if this doesn't belong on this list, please let me know)
RFC 4871 states:
> h= Acceptable hash algorithms (plain-text; OPTIONAL, defaults to
>allowing all algorithms). A colon-separated list of hash
>algorithms that might be used. Signers and Verifiers MUST
>support th
(sorry Stephen, but I had to reply to this one)
On Sep 15, 2010, at 12:01 PM, Steve Atkins wrote:
>> That seems aligned with Steve's point about DKIM's value coming (only?) when
>> the d= value is not the same as the domain-name in the from: field. So
>> according to you (and Steve?) the IETF
On Sep 15, 2010, at 11:02 AM, Jeff Macdonald wrote:
> On Wed, Sep 15, 2010 at 10:43 AM, McDowell, Brett
> wrote:
>> On Sep 15, 2010, at 12:11 AM, Murray S. Kucherawy wrote:
>>
>>> Based on that (rather precise) description, aren't ADSP's requirem
On Sep 15, 2010, at 12:11 AM, Murray S. Kucherawy wrote:
> Based on that (rather precise) description, aren't ADSP's requirements a
> proper subset of the DKIM requirements? If so, I'm not sure I agree with
> "badly conflicting", but it does frame future discussion quite nicely.
>
> For exampl
It was my understanding that the MLM BCP was intended to inform MLM operators
of what they should do with DKIM-signed mail. Since that is the critical
question, I would assert we need rough consensus on the answer to that question
before issuing a WGLC on the document. I do not believe we have
...and implement what you think should work before making an issue of it in
IETF.
That's been my #1 lesson this year (I'm new to IETF). I originally was
actually worried about blowback by the community if a large entity like
ourselves and few other household names just went off and deployed
On Sep 14, 2010, at 9:40 AM, Scott Kitterman wrote:
> On Tuesday, September 14, 2010 09:18:23 am John R. Levine wrote:
>> As I keep saying over and over, discardable really means discardable: if
>> in doubt, throw it away. It does NOT, repeat NOT, mean high value mail.
>> It means low value mai
On Sep 13, 2010, at 8:43 PM, John R. Levine wrote:
>> But if that stuff was signed before entering our whatevers, how can we
>> verify the signature when pulling it out? This question may entirely
>> invalidate assumptions that nobody ever actually made about somebody
>> else's theoretical wi
On Sep 13, 2010, at 5:30 PM, Douglas Otis wrote:
> On 9/13/10 1:03 PM, McDowell, Brett wrote:
>> The ADSP=discardable deployer is not conveying apathy regarding the
>> deliverability of their mail, quite the opposite IMO. They are saying (to
>> paraphrase) "please
On Sep 14, 2010, at 11:13 AM, John R. Levine wrote:
>> I agree with Mike's assessment.
>
> I remain unable to reconcile "this is very important" and "throw it away"
> applied to the same message.
>
Scott nailed it when he said: This means they view the risks of having
legitimate
mail discar
On Sep 14, 2010, at 10:32 AM, John R. Levine wrote:
>> It does not mean low value mail and I don't think you will find a
>> sending mplementing dkim=discardable that would agree with you.
>
> Then in the RFC we utterly failed to make it clear what dkim=discardable
> means. Sigh.
>
> Once again
On Sep 14, 2010, at 9:31 AM, MH Michael Hammer (5304) wrote:
>
>
>> -Original Message-
>> From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-
>> boun...@mipassoc.org] On Behalf Of John R. Levine
>> Sent: Tuesday, September 14, 2010 9:18 AM
>> To: Ian Eiloart
>> Cc: DKIM
>> Subject:
On Sep 14, 2010, at 9:15 AM, Hector Santos wrote:
> Ian Eiloart wrote:
>
>> If the MLM owner knowingly breaks a signature, and either discards the
>> message or forwards it into a system that is likely to discard it, and do
>> not notify the sender, then the forwarder must be responsible for a
On Sep 13, 2010, at 10:10 AM, John R. Levine wrote:
>> What ADSP users want is irrelevant. This is about what MLMs want (which is
>> most likely to ensure that submitted messages reach the whole of their
>> list without problems).
>
> Right. The easiest way to do so, assuming you believe that en
On Sep 9, 2010, at 2:26 PM, Steve Atkins wrote:
>
> On Sep 9, 2010, at 11:12 AM, McDowell, Brett wrote:
>
>> I'd be surprised to discover many senders are rotating keys every eight days.
>
> I didn't suggest rotating keys every eight days. Rather, I suggeste
On Sep 4, 2010, at 9:31 PM, Steve Atkins wrote:
> The whole point of rotating keys is so that loss of an old private key
> isn't a risk. Given that, I think that even if you're fairly sure that a key
> pair hasn't been compromised then you should remove the public
> key as soon as is reasonable af
On May 20, 2010, at 10:09 AM, MH Michael Hammer (5304) wrote:
> If Brett or anyone else has data points that would impact the decision
> as to whether the group sticks to a Lists BCP discussion based on
> current practice/implementations or sets that aside to modify ADSP, now
> is the time to pres
On May 10, 2010, at 2:01 PM, Murray S. Kucherawy wrote:
> http://datatracker.ietf.org/doc/draft-kucherawy-dkim-lists/
>
> Would the WG like to bring it in and make it a WG document? If so, I
> volunteer to act as editor.
>
I'm an IETF newbie, so correct me if I'm wrong. But it seems you ar
On May 3, 2010, at 11:06 AM, MH Michael Hammer (5304) wrote:
> And it is easy enough to do "F2F" in a manner that does not break the
> authentication-based service.
How?
-- Brett
___
NOTE WELL: This list operates according to
http://mipassoc.org/dk
On Apr 30, 2010, at 11:05 AM, Michael Thomas wrote:
> On 04/30/2010 07:38 AM, McDowell, Brett wrote:
>> On Apr 30, 2010, at 10:23 AM, Michael Thomas wrote:
>>
>>> On 04/30/2010 07:05 AM, McDowell, Brett wrote:
>> But since mailbox providers already manage reputati
On Apr 30, 2010, at 12:28 PM, Jeff Macdonald wrote:
>>> I'm willing to go from a world where any system can use my From to one
>>> where only the systems I say can. And that means changes.
>>
>> That's an example of the problem in using the term: Much discussion about
>> DKIM presume far more en
On Apr 30, 2010, at 1:38 PM, Alessandro Vesely wrote:
> On 30/Apr/10 12:13, Ian Eiloart wrote:
>> --On 28 April 2010 11:02:53 -0400 "MH Michael Hammer (5304)"
>> wrote:
>>> 2) One possible recommendation to list managers is that if a message to
>>> the list is DKIM signed AND has an ADSP discard
On Apr 30, 2010, at 2:31 PM, John Levine wrote:
>>> Even with your discardable adsp setting, it becomes a
>>> matter of the order of checks at the receiver's gate (eg, whitelist
>> first, then adsp...)
>>
>> But since mailbox providers already manage reputation at scale, how much
>> of a burden i
On Apr 30, 2010, at 2:24 PM, John Levine wrote:
>
>> We need to be precise about what we mean by "trustworthy". Even if I
>> have "some way to identify trustworthy lists" as you put it above, I
>> have to be very clear about what I'm actually trusting that list to do.
>
> When I sign up for a
On Apr 30, 2010, at 10:23 AM, Michael Thomas wrote:
> On 04/30/2010 07:05 AM, McDowell, Brett wrote:
>>
>> In that scenario, if the MLM re-signing solution has been deployed by Y, and
>> DKIM+ADSP has been deployed by X& Z, and Z has chosen to take action on X's
On Apr 30, 2010, at 5:30 AM, Ian Eiloart wrote:
> --On 29 April 2010 10:58:44 -0600 "McDowell, Brett"
> wrote:
>
>> On Apr 28, 2010, at 2:11 PM, John R. Levine wrote:
>>
>>>>
>>>> Your proposal that MLM remove Signatures would cause r
On Apr 29, 2010, at 9:06 PM, John Levine wrote:
> I just don't see how you can simultaneously say "throw away unsigned
> mail" and "don't throw away unsigned mail if a list says it used to be
> signed" unless you have some way to identify trustworthy lists.
Precisely! The key phrase being "unl
On Apr 29, 2010, at 3:47 PM, Graham Murray wrote:
> "McDowell, Brett" writes:
>
>> Priority: it's more important to us that cyber criminals not be
>> systemically enabled to leverage MLM systems to bypass email
>> authentication flows and consumer protect
(oops, sorry, it was an issue Al raised, not John... in any event here's my
answer)
On Apr 29, 2010, at 1:23 PM, Al Iverson wrote:
> On Thu, Apr 29, 2010 at 11:58 AM, McDowell, Brett
> wrote:
>> On Apr 28, 2010, at 2:11 PM, John R. Levine wrote:
>>
>>>>
Gentlemen...
There has *not* been a report of any misconfiguration on paypal.com. The
report, which I've taken off-list and am actively chasing down, actually *may*
indicate that gmail is not consistently blocking broken DKIM signatures from
paypal.com (which our ADSP asks and they have volunt
On Apr 28, 2010, at 2:11 PM, John R. Levine wrote:
>>
>> Your proposal that MLM remove Signatures would cause restrictive
>> policies to fail.
Which is why I oppose this proposal.
> Indeed. I'm assuming that any list that paid attention to ADSP would sign
> its outgoing mail and would expect
his early stage in order to continue to develop the concepts.
So... is there any other interest in this scenario... form MLM vendors or
service providers?
-- Brett
On Apr 27, 2010, at 3:11 PM, Dave CROCKER wrote:
>
>
> On 4/27/2010 12:04 PM, McDowell, Brett wrote:
>> On
Since you brought it up... ;-)
I would say there is no single "primary benefit" to DKIM. I would say there
are "many benefits" to DKIM. And, to be explicit about it, I believe applying
DKIM for the purpose of "consumer protection" is at least as valid a benefit of
DKIM as applying it for "imp
On Apr 27, 2010, at 2:57 PM, Dave CROCKER wrote:
>
> On 4/27/2010 11:48 AM, McDowell, Brett wrote:
>> Who do you feel we need to hear from at this stage to gauge interest?
>
>
> For any specification, it helps to hear from the folks who will write the
> software and
Who do you feel we need to hear from at this stage to gauge interest?
-- Brett
On Apr 27, 2010, at 2:32 PM, Dave CROCKER wrote:
>
>
> On 4/27/2010 11:08 AM, McDowell, Brett wrote:
>> On Apr 27, 2010, at 1:50 PM, Dave CROCKER wrote:
>>> On 4/27/2010 10:40 A
On Apr 27, 2010, at 1:50 PM, Dave CROCKER wrote:
> On 4/27/2010 10:40 AM, McDowell, Brett wrote:
>> That's how I see it. The key is that Y *validates* the DKIM signature and
>> processes the sender's ADSP
>
>
> Where is this going to be supported? T
On Apr 27, 2010, at 1:34 PM, Murray S. Kucherawy wrote:
>> -Original Message-
>> From: Jeff Macdonald [mailto:macfisher...@gmail.com]
>> Sent: Tuesday, April 27, 2010 10:05 AM
>> To: McDowell, Brett
>> Cc: Murray S. Kucherawy; ietf-dkim@mipassoc.org
>
On Apr 23, 2010, at 6:28 PM, Murray S. Kucherawy wrote:
> Something like: X sends to a list at Y that then relays to Z; Z trusts Y to
> implement DKIM and Authentication-Results and all that properly, so Z
> believes Y when it says "X had a signature on here that verified" even if X's
> signatu
On Apr 23, 2010, at 12:56 PM, John Levine wrote:
>> John, can you simply clarify the rules/logic of your FBL with Yahoo!?
>> That will clarify this scenario considerably.
>
> It's just like the IP based FBLs that other mail systems have, only
> keyed on DK or DKIM d= signing domains rather than I
On Apr 26, 2010, at 10:05 AM, MH Michael Hammer (5304) wrote:
> I think we are having the wrong discussion. The real question is:
>
> "What are appropriate practices for mailing lists in handling DKIM
> signed mail?"
Agreed.
>From my perspective, I'd like to enable (not mandate or expect univer
I've read through all the responses on the list but I'm responding to John's
original message because so much of the responses have made critical
assumptions about the nature of the FBL with Yahoo!.
John, can you simply clarify the rules/logic of your FBL with Yahoo!? That
will clarify this sc
51 matches
Mail list logo