On 10/12/09 7:04 AM, Wietse Venema wrote: > Michael Deutschmann: >> If this is indeed the official semantics of the protocol, then I would >> petition to add a "dkim=except-mlist" policy. Which means "I sign >> everything that leaves my bailiwick, but may post to signature-breaking >> MLs." > > Are you going to announce all your users mailing list subscriptions > in the policy record? If you do, that could be a privacy problem.
When a domain of a mailing list is publicly known, often so are the lists themselves. The tpa-label approach will not indicate which specific list is used, only that a domain is authorized to act on behalf of the Author Domain. When some non-public domain is being used by a mailing list, then the tpa-label itself would not be immediately apparent. > If you don't, then the spammer can add any mailing list header to > the message, and they can drive their truck through this hole. Agreed. Which is why it makes sense to have Author Domains indicate to their recipients the specific domains being used to originate messages carrying their Author Domain. Perhaps it might become common to have an Intra-net web page where users request specific mailing-lists to be included in the auto-generated tpa-label list. Part of the concepts behind the tpa-label approach was to provide a means to authorize sources for the domain's messages by-name as a means to help limit the sources that might generate abuse feedback reports. Rather than checking with some reputation service, what better source would there be than checking with Author Domain themselves? -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
