John says... > Ohhh, noooooo, not this again. We flogged this topic at length while > arguing DK versus IIM.
:-) > I think it'll be a swell idea for list software to use DKIM on > incoming messages to verify the sender, but that's the list manager's > job, not the subscribers'. Right. The idea, as I put it once, was that "If you break it, you bought it." Put less colloquially, if a mailing list that knows it's going to mangle the message receives a DKIM-signed message, it should 1. Verify the signature. 2. Apply whatever reputation service, white/black lists, spam filtering, etc that it wants to, to decide whether the message should pass on to the mailing list. 3. If it decides that it should pass, the mailing list should LEAVE the existing signature (that part is not universally agreed on, of course, but the next part is), mangle the message, and re-sign it (which is not the same as being resigned to it). The mailing list may, of course, choose to re-sign the message even if it does not mangle it, which is all the more reason to leave the original (still-valid) signature there. > Or maybe you meant remailers and forwarders rather than lists? I > think we all agree that DKIM is intended to survive those. Yea, verily, 'tis. Barry -- Barry Leiba, Pervasive Computing Technology ([EMAIL PROTECTED]) http://www.research.ibm.com/people/l/leiba http://www.research.ibm.com/spam _______________________________________________ ietf-dkim mailing list http://dkim.org
