One comment below [MB].
Mary
On Mon, Apr 27, 2020 at 10:07 PM John Levine <johnl@xxxxxxxxx> wrote:
In article <d020e8d0-f7ab-6bfc-b65f-250f7bf9e75e@xxxxxxxx>,
Michael Thomas <mike@xxxxxxxx> wrote:
>> XMPP differs from SMTP and SIP because there are no intermediate
>> domains - traffic passes from the source domain to the
>> destination domain directly, and in effect the concepts inherent in
>> DKIM and SPF about authorised senders are baked into the basic protocol.
>
>Ah, ok. Most likely the vast majority of email probably has that
>property too, but not all of it.
By volume I believe that the majority of non-spam mail is sent by
third party service bureaus on behalf of clients. They generally have
an arrangement so the bureau can put the client's DKIM signature on
the mail.
>> Yes, but SMTP-Auth closes that circle.
Sorry, I don't know what you're referring to by SMTP-Auth. Do you
mean authentication when connecting to a submission server? That's
useful but there's no necessary link between the submission-time
authentication identity and anything in the mail, and an awful lot of
mail is sent in ways that don't involve a submission server.
>But for the average SIP spam/phishing case the user part probably
>doesn't mean much. I really have no clue who gladys@xxxxxxx is, but I
>sure do want to know if irs.gov claims she's one of theirs. ...
Talking to some people at big telcos I get the impression that they
plan to use STIR/SHAKEN more or less the way mail systems use DKIM,
not to try to identify individuals sending message, but to develop
a repuation for inccoming message streams and to handle streams with
a lot of crud differently from streams without.
[MB] That's actually not the purpose of STIR/SHAKEN. STIR/SHAKEN is the signaling with some specific semantics about the originator that gives you more information you can use for traceback and as input to analytics. And, STIR/SHAKEN does identify individual telephone numbers. The processing you're talking is the analytics post STIR/SHAKEN and STIR/SHAKEN does identify individual telephone numbers. Personally, I think the traceback is of more importance so that the bad actors stop doing this. You have to look at the merits of STIR/SHAKEN in the context of the legislation in this space. And, SHAKEN is designed to ensure that only those that are valid telephony Service Providers can be part of the ecosystem - i.e., you cannot get a certificate unless you're registered with a central authority. [/MB]
--
Regards,
John Levine, johnl@xxxxxxxxx, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
