Hector Santos wrote: > As an author of a list server, I prefer to STRIP the > signature when allowed to avoid tampering with the many > options already offered to the list owner.
If you tamper with the message that's your best choice. But ordinary lists don't tamper with messages, they redistribute them as is, adding their List header fields, and using their own Return-Path for automatical handling of errors. Sympa also adds an Errors-To reflecting the Return-Path, and that's the main case where DKIM must work transparently, for unmodified redistributed mails. Strip old signature or similar recipes are hardcore gateways stuff, not be part of normal DKIM procedures. Gateway operators are supposed to know what they do. > o=? WEAK (signature optional, no third party) Oops, there it is, when I checked the SSP draft some hours ago I missed this. What does WEAK mean for an _unsigned_ mail at a third party willing to sign it ? I hope it means nothing in this case and affects only signed mails. > WEAK, strip, do not sign Stripping a valid signature makes no sense for redistributors. That's only necessary if the original mail is mutilated beyond recognition, the forged / broken / inconvenient (pick what you like) cases. DKIM can't do much about these cases, recommend to exclude the subjects from the signed header fields maybe. If the bad guys try to abuse this by squeezing their spam into the subject let them, it won't work as expected. > What about the WEAK (o=?) policy? Yes, no part of the actual SSP draft. Not yet or not more ? I don't see how it could work for unsigned mails. Should third parties willing to sign mails always check the SSP ? In that case I'd say a simple implementation of third party signatures is DON'T. Fast, robust, and no chance to get in trouble. Bye _______________________________________________ ietf-dkim mailing list http://dkim.org
