On Fri, Apr 23, 2010 at 9:45 AM, Dave CROCKER <[email protected]> wrote: > > > On 4/23/2010 6:50 AM, MH Michael Hammer (5304) wrote: >> If John is making some assertion of responsibility for his message by >> signing, what is the limit of his responsibility as the message flows through >> the ecosystem? Where is the RFC that says his signature should be stripped? > > Most importantly, where is the specification that says a DKIM signature > overrides The MailFrom address?
Not everything is codified in RFC or elsewhere. If John sends email to my mailing list, and I emit that mail to the world, and it garners complaints, it strikes me based on custom and history that I am the responsible party. John would not be. Not directly, anyway. >> If the list stripped his signature and someone modified what he wrote is this >> a failure of DKIM or is it something else? What are we collectively (and >> individually) trying to achieve if we are signing the body and not just the >> headers? > > If a list already knows it should strip DKIM signatures, isn't also likely > that > the list will be able to sign? No, because stripping the signature is currently easier than generating a new one. Stripping the signature is just removing text. Adding a new signature requires functionality not inherent to all MTAs and MLMs. > We have no empirical data that the presence of a list signature AND an author > signature will produce the wrong results (for some definition of wrong.) Yeah, but clearly the author signature alone can cause what somebody here thinks to be an imperfect result. I tend to agree with him. I've been stripping DKIM signatures on my own hosted mailing lists for that reason, and also so I can modify content on the fly without the original signature failing. Regards, Al Iverson _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
