I've been following the thread(s) regarding how to enable 3rd parties where a formal relationship doesn't exist and this reinforces my thought that it is ultimately easier systemically (even allowing for the arguments that it is unfair) for intermediaries to take ownership of messages they (intentionally) modify and sign d= as first party signers.
I understand that there is a one-time cost (my own organization incurred this cost in changing how we handle mail for our website domains) to changing and I understand the reasons expressed by some for not wanting to make such changes based on principle, etc. I understand the argument that some are externalizing their costs. Mike From: dmarc [mailto:[email protected]] On Behalf Of Rolf E. Sonneveld Sent: Tuesday, April 14, 2015 4:24 PM To: Murray S. Kucherawy; Scott Kitterman Cc: [email protected] Subject: Re: [dmarc-ietf] Updated mandatory tag/conditional signature draft On 04/14/2015 09:15 PM, Murray S. Kucherawy wrote: On Tue, Apr 14, 2015 at 8:25 AM, Scott Kitterman <[email protected]<mailto:[email protected]>> wrote: I haven't reviewed his in detail, so I've no opinion. I was talking about this proposal. Not getting fancy with MIME parts would be nice, so if this one can work, I already like it better than Murray's, but if we have to pile this onto the stack of nice ideas, then that's probably what I'll look at next. The elegance of John's idea is that it's content-agnostic, and is apparently backward compatible because v=1 verifiers will not consider the weak signature to be valid (unless they're already quite broken). There's no need to learn to parse MIME structure in order to produce a signature. I think the concerning part is deciding when to add the weak signature. The simplest thing is to always add it along with an "@fs=" signature, but then you're basically allowing the forwarding domain to sign any content it wants and you'll be approving it too, implicitly. Remembering to what great lengths the ietf-dkim group went to make sure that every bit of a message was covered by the signature (and with the l= discussions in mind) I would really be surprised if adding the @fs= for all outbound mail would be an acceptable solution for the problem. /rolf
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
