Re: [dmarc-ietf] Change the mailing list protocol, not DMARC.

Tue, 10 Jun 2014 03:58:30 -0700 

On 6/10/2014 2:16 AM, Stephen J. Turnbull wrote:


I'm not proposing additional validation.  As I've said before, I have
no quarrel with the DMARC protocol or its component protocols (at
least I've not found a reason to dislike it yet), although I strongly
dislike Yahoo!'s policy use of "p=reject".



Are you oppose to any other domain using strong policies or just 
certain ones?  In other words, would you honor the p=reject for other 
domains, just not Yahoo's?



You didn't answer the question in another post regarding if you are 
even ready or support the idea of even doing a DNS lookup to find out 
what a domain's policy is?



I'm suggesting the information could be used in the MUA UI.  A failed
signature *would* fail.  Consider the following scenario:

(1) User posts, MTA DKIM-signs using DKIM-delegate protocol (main
     signature signs Subject and body, delegate signature does not).
(2) Mailing list decorates Subject, MTA DKIM-signs all the usual
     fields and body, and distributes.
(3) Recipient MTA notes failure of main originator signature but
     accepts according to local policy about DKIM-delegate and valid ML
     signature, ignoring z=.

Isn't that OK?  Now



It is more easier, more feasible, more safe, to just reject/discard 
the failed message (due to policy) at the backend and be done with it.



(4) Recipient MUA has a choice of
     (a) Displaying decorated Subject verbatim.
     (b) Displaying z= Subject verbatim.
     (c) Matching decorated and z= subjects, and discarding mismatched
         portions.
     (d) As (c), but demphasizing mismatched decorations (eg,
         grey-on-grey).
     (e) Something else.

I'm suggesting something along the lines of (b), (c), or (d).  If the
MUA does (a), it just falls into the abuser's trap, of course.  But
that's exactly what would happen now if somebody found a way to suborn
dkim-delegate.



Do you realize how many different MUAs exist? and the different forms 
of MUAs?  Why pass the buck to the user when the backend can deal with 
this and its works for all MUAs!!



This is like assuming there is only GNU mailman out there. Even then, 
are you going to make the changes to your VM editor?


--
HLS


_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc





























					Reply via email to