On Sat, Aug 17, 2024 at 3:05 PM Steffen Nurpmeso <[email protected]> wrote:
> Since then myriads of possibilities have been added to generate > "more identification value" of an email's source, even "over the > corner", and what not. > Myriads? Which ones are those? > |indirect mail flows. I think you'd need to address those as well. Do > you > |have something in mind? > > I must admit i currently do not know what you are talking about. > You said you've read RFC 6377, so I think you probably do because it lays out the problem I'm talking about. > If a message has been altered, all bets are off. > This is a tremendous failure of the IETF and those giants which do > it the way they do it. > I can't follow this line of argument. > In my humble opinion the solution is > > - announce this change in the DKIM signature via a new, backward- > compatible flag > I don't understand this flag. What information is this giving to end users? Will they understand it? Why should they trust it? If you hand the spam community a trusted way to say "please forgive the fact that this message does not bear a valid author domain signature", I assure you they will use it. We have already tinkered with the idea of augmenting DKIM in some way to indicate "these mutations were made to the message; if you undo them, you may recover the author domain signature". My recollection is that the community feels like this approach is too fragile, or too hard to make comprehensive; there are too many possible mutations for this approach to work universally or to be sufficiently robust. > No. If you have to alter the message, flag that this has > happened, and user interfaces need to be changed over time so that > users are given possibilities to white/allow-list some specific > party which does that, like a mailing-list. > Relying on users to edit some kind of allow list is prone to error. Users will forget to do it, and then complain. Users will complain that they have to go through an extra step at all. Users will unsubscribe, but forget to clean this up, possibly exposing themselves to attacks. > Google and/or KI may even (offer) auto-pilot(s for) *that*, simply > by tracking their users: ie, if a thousand people say "yes" to > some IETF mailing-list, there is a high probability this is ok. > (But it is not more than that, never. Without a real person.) > I suspect that automation has to work at a threshold much lower than a thousand to be practical. -MSK
_______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
