[Mailman-Users] ARC

[Jordan Brown]

On 7/26/2018 9:19 PM, Stephen J. Turnbull wrote:
> Jordan Brown writes:
>
>  > Well, yeah, but to provide such a service in a way that has any
>  > resemblance to being secure, Intuit *must* have some secret that allows
>  > it to send mail "from" those subdomains.  If Intuit doesn't need such a
>  > secret, then anybody could send mail like that.
>
> Sure, but (1) anyone can send mail like that anyway (and they do),

Wasn't this in the context of signature-checking schemes that detect
forged origin metadata?

> (2) the customers will (well, should) be checking invoices against their
> own purchasing records before they pay, and (3) after the vendor
> identifies Intuit as its billing agent, Intuit's own signature will do
> the trick.

So the vendor has to notify their customers who they use to do their
billing, and every time that they change billing vendors?  Ofttimes, the
goal is that the billing vendor is completely invisible to the end
customer.  I'm buying something from FrobozzCo; I should see e-mail that
comes from FrobozzCo (in a verifiable way), web pages that say FrobozzCo
and frobozzco.com, and the entry on my credit card statement should say
FROBOZZCO.  The fact that FrobozzCo uses Intuit is none of my business
and should be totally hidden from me.

Having your billing vendor be visible is, like having your company
e-mail address be @gmail.com, a mark of a tiny company that hasn't
really figured out how to make its business work.

> Securing a small number of own keys that get rotated on a schedule is
> one thing, securing a database of others' keys that regularly gets
> updated and multiple regular employees need access to is going to be
> quite another.

Not anywhere near as hard as it is for a full-scale e-mail vendor. 
Google secures a database of millions of users' secrets, and must have
internal and external controls that keep the wrong people from sending
mail that pretends to come from those users.