On 7/6/20 3:41 PM, John Levine wrote: > In article <e8ab65f6-0ba7-d8db-61c5-7fceb46b9...@bluepopcorn.net>, > Jim Fenton <fen...@bluepopcorn.net> wrote: >> Your use of "credible mediator" and "sleazy mediator" emphasizes that >> we're depending on the mediator behaving responsibly. Given that's the >> case, why not just expect a responsible mediator to verify the DKIM >> signature (or maybe SPF) on the incoming message, check its alignment >> with the From: domain, then make whatever modifications it wants to >> make, then re-sign the message with the mediator's DKIM signature >> containing a tag that says it did all of the above? > According to people I've talked to about ARC, because mailing lists > don't do that. One of the things that makes it plausible that lists > might implement ARC is that it doesn't ask for any changes in the > internal operation of the list, just slap an ARC signature on the end. "Just slap an ARC signature on the end" greatly understates the complexity of ARC. > > It's also useful for other kinds of forwarding that don't change > anything but since they're forwards, SPF fails. If a mediator can add an ARC signature, they can add a DKIM signature. All this would add to DKIM signing is an additional tag indicating whether the message received by the mediator had an aligned signature or SPF. > > This proposal makes lists sort through all of the changes they make > and try to figure out which ones match a tag and which ones don't. > That is surprisingly hard, e.g., I found that when you have > multipart/alternative and add a message header, it edits the header > text into both of the alternative versions. Good luck unscrambling that.
Perhaps I didn't explain this clearly enough. Mediators don't need to sort through changes at all. All they do is check to see if the incoming message had an aligned signature or SPF, and include a tag in the DKIM signature that they apply indicating that. Receiving domains that intend to enforce DMARC would need to verify the DKIM signature of the mediator, and if the signature came from a credible mediator and the tag is present, accept the message as though it had an aligned signature. -Jim _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
