Hey Dave, On Monday 19 October 2009 12:22:20 Dave CROCKER wrote: > Barry Leiba wrote: > > I suggest that ADSP-compliant mailing lists should be > > advised to reject "discardable" messages whether or not they will be > > breaking the signature. > rejection is really only needed if they break the signature which should be evident by their settings. The point of DKIM is to preserve integrity however the bank statement is a confidentiality issue.
For instance I manage a private maillist of board members that receive paypal notices. 100% DKIM validation pass rate. The maillist is configured to not modify the message so the final recipients could validate it too if they wanted. > Yes, this is a reasonable idea. > > The question is whether it is the /right/ idea. > > Another reasonable idea is that the mailing list should ignore ADSP, since > ADSP is really meant for final recipients; As the mailing list is probably the last place to see a valid signature evaluating the ADSP there is the best idea. The mailing list verifier has a greater confidence in rejecting broken signatures there than the final recipient. The final recipient could deploy some whitelisting model based on the behaviour of the list with minimal risk. > note that ADSP only comes into > play for recipients who support it. (Well, that is at least one model.) > And there are no doubt lots of other reasonable ideas. > > At this stage, I believe rightness depends entirely on market preferences. > Do we have any empirical data of ADSP use which experiences the problem > being covered here, Some was described here; http://mipassoc.org/pipermail/ietf-dkim/2009q4/012596.html > resolves it in the way being suggested, dkim=discard is the easy case. > and garners receiver support? at the moment receivers who care about dkim whitelist domains/ip or if they wish to accept some risk, rely on domain reputation. > Absent any of that, this discussion is purely academic. > > Each proposal like this is expensive. It takes time to discussion, run > through the process, test, deploy and use. We should let private > experiments determine the preferred handling, before we seek to > standardize a solution. > > Particularly since we seem to have only and exactly one market-based > organization experiencing the problem. given the level of ADSP deployment it is hardly unexpected that only one organisation that this group collectively knows about has disclosed a problem. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
