On 6/10/2014 6:55 PM, Dave Warren wrote:
I've been surprised how many otherwise-technically-competent people
use subject tags to filter mailing lists. However, I suspect much/most
of this could go away if MUAs started displaying List-* information in
a useful way, and made filtering on those headers easier than the
Subject header or the To header.
Some MUAs have began to use the List-ID, especially on the reply side
of things, so now you have a "Reply to List" button/option on some of
them. Opera Mail also uses List-ID to show a "Mailing List"
collapsible panel/view selection box of your subscriptions.
For Thunderbird (tbird), I had to manually added a message rule to use
the List-ID but the first time, I had to add the new header to the
selection of headers list.
Either way, if message footers and subject tags have to go away and
that gets us DKIM signatures through mailing lists (which seems to
mostly be possible now), that seems like a step forward.
I believe for some markets, there may be a legal requirement to add
footers. I think mail can survive, especially where its very active,
bugs will and have been fixed. But there some legacy systems and
someone has to tweak them.
I believe in the chain of trust concept. It is ok for the LSP do
resign. I just think it doesn't help the security when unauthorized
signing is unchecked.
For TBIRD, I added two DKIM rules in TBIRD to add two color tags:
Green "DKIM PASS"
Red "DKIM FAIL"
This allowed me to explore problem areas. By now, we pretty much know
the reasons, the original 1st party signature fails. My backend
verified this message from you and it shows:
Authentication-Results: dkim.winserver.com;
dkim=pass header.d=ietf.org header.s=ietf1 header.i=ietf.org;
adsp=fail policy=unknown author.d=hireahit.com signer.d=ietf.org
(unauthorized signer);
dkim=fail (DKIM_BODY_HASH_MISMATCH) header.d=hireahit.com
header.s=MD-20140321 header.i=hireahit.com;
adsp=pass policy=unknown author.d=hireahit.com signer.d=hireahit.com
(originating signer);
First, if you add the ADSP/ATPS recods your hireahit.com zone, it all
works for the 3rd party ietf.org resigner.
_adsp._domainkey.hireahit.com IN TXT "dkim=unknown; atps=y; asl=ietf.org;"
PQ6XADOZSI47RLUIQ5YOHG2HY3MVJYOO._atps.hireahit.com IN TXT "v=atps01;
d=ietf.org;"
This authorizes ietf.org and you will have adsp=pass. You can use
this wizard to explore the record and create other authorizations.
http://www.winserver.com/public/wcadsp
Second, notice the DKIM_BODY_HASH_MISMATCH. This is pretty much a
signal it was a body integrity error, not the signature itself. So
all the 5322 Headers are fine. This is good information to use in logic.
But if you use ADSP/ATPS, then you also telling the world, that your
original signature doesn't matter any more after it was resigned by
the trusted signer.
All we need to do is apply the same idea to DMARC.
--
HLS
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
