On Tue, Apr 10, 2018 at 1:04 AM Vittorio Bertola < vittorio.bert...@open-xchange.com> wrote:
> > > Il 10 aprile 2018 alle 2.15 Brandon Long via mailop <mailop@mailop.org> > ha scritto: > > > > > > Google does not yet trust third party ARC signatures, yes. We're open > to manually > > adding some as they become available, but overall, it's a chicken and > egg thing > > so far, there aren't enough of them yet for us to create a mechanism to > automatically > > build trust. > > This is also the biggest concern about ARC from my viewpoint. There are a > few millions of small independent mail servers and some of them run just a > handful of mailing lists, e.g. for a local non profit or group of friends. > The list server software may implement ARC, but how will these hosts be > able to gain the trust necessary for the receivers to accept their ARC > signatures? Very big players like Google already have a complex trust > system in place and may be able to come up with good automated measurements > of trust even for small hosts, but the risk is that others will just build > a whitelist of the few major mailing list platforms and distrust everyone > else's lists (which, as far as I know, is how OpenARC's implementation > works for the moment). > > It would be better to go by blacklists, as it has usually been for > anti-abuse, rather than by whitelists; it would be even better if there > were an effort to share trust indicators so that even small operators can > use them. > There's nothing preventing anyone from creating a domain-based rbl for arc, or even a whitelist service, or submitting patches to OpenARC to support them. Brandon
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
