Wacky Weekend: The '.secure' gTLD

• Previous message (by thread): Wacky Weekend: The '.secure' gTLD
• Next message (by thread): Wacky Weekend: The '.secure' gTLD
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 05/31/2012 06:16 PM, Fred Baker wrote:
>
> not necessarily. It can be done with a laptop that does "dig" and sends email to the place.
>
> What will drive the price up is the lawsuits that come out of the woodwork when they start trying to enforce their provisions. "What? I have already printed my letterhead! What do you mean my busted DKIM service is a problem?"
>
> BTW, getting DKIM on stuff isn't the issue. I'm already getting spam with DKIM headers in it. It's getting the policy in place that if a domain is known to be using DKIM, to drop traffic from it that isn't signed or for which the signature fails.

Wow, I wouldn't have expected such a deep dive on DKIM here, but...

Last I heard, where we're at is sort of bilateral agreements between the
paypals of the world telling the gmails of the world to drop broken/missing
DKIM signatures. And that is between pretty specialized situations -- it
doesn't apply to corpro-paypal denizens, just their transactional mail.
The good news is that even though it's specialized, it's both high volume
and high value.

The big problem with a larger scope -- as we found out when I was still
at Cisco -- is that it's very difficult for $MEGACORP to hunt down
all of the sources of legitimate email that is sent in the name of
$MEGACORP. Some of these mail producers are ages old, unowned,
unmaintained, and still needed. It's very difficult to find them all,
let alone remediate them. So posting some policy like "DROP IF
NOT SIGNED" will send false positives to an unacceptable level
for $MEGACORP.  So the vast majority of Cisco's email is signed, but
not all of it. After 4 years away, I would be very surprised to hear that
has changed because IT really doesn't have much motivation to hunt
it all down even if it ultimately lead to being able to make a stronger
statement.

One other thing:

>> That particular one is from an email sent to me by a colleague named Tony Li<tli at cisco.com>, who is a Cisco employee. It gives you proof that the message originated from Cisco, and in this case, that Cisco believes that it was originated by Tony Li.

In reality, Cisco doesn't know that's it really coming from Tony Li. We
never required authentication to submission servers. And even if we
did, it wouldn't be conclusive, of course.

A valid DKIM signature really says: "we Cisco take responsibility for this
email". If it's spam, if it's spoofed from a bot, if it's somebody having
dubious fun spoofing Tony Li... you get no guarantee as the receiving
MTA that it isn't one of those, but you can reasonable complain to
Cisco if you're getting them because it's going through their
infrastructure. I think that's an incremental improvement because it
was far too easy for the $ISP's of the world to blow off complaints of
massive botnets on their networks because they could just say that
it must have been spoofed. If they sign their mail, it's now their
responsibility.

Mike

• Previous message (by thread): Wacky Weekend: The '.secure' gTLD
• Next message (by thread): Wacky Weekend: The '.secure' gTLD
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]