> -----Original Message----- > From: [email protected] [mailto:ietf-dkim- > [email protected]] On Behalf Of Al Iverson > Sent: Friday, April 23, 2010 2:07 PM > To: [email protected] > Subject: Re: [ietf-dkim] Why mailing lists should strip DKIM signatures > > On Fri, Apr 23, 2010 at 9:45 AM, Dave CROCKER <[email protected]> wrote: > > > > > > On 4/23/2010 6:50 AM, MH Michael Hammer (5304) wrote: > >> If John is making some assertion of responsibility for his message by > >> signing, what is the limit of his responsibility as the message flows > through > >> the ecosystem? Where is the RFC that says his signature should be > stripped? > > > > Most importantly, where is the specification that says a DKIM signature > > overrides The MailFrom address? > > Not everything is codified in RFC or elsewhere. If John sends email to > my mailing list, and I emit that mail to the world, and it garners > complaints, it strikes me based on custom and history that I am the > responsible party. John would not be. Not directly, anyway. >
But John made a private arrangement with Yahoo that if there was a complaint about a mail and he DKIM signed it then Yahoo should send the complaint to him as part of it's FBL offering. They did exactly what he asked them to do. > >> If the list stripped his signature and someone modified what he wrote > is this > >> a failure of DKIM or is it something else? What are we collectively > (and > >> individually) trying to achieve if we are signing the body and not just > the > >> headers? > > > > If a list already knows it should strip DKIM signatures, isn't also > likely that > > the list will be able to sign? > > No, because stripping the signature is currently easier than > generating a new one. Stripping the signature is just removing text. > Adding a new signature requires functionality not inherent to all MTAs > and MLMs. > The fact that it is easier does not make it correct - doesn't necessarily make it incorrect either - that's in part what the discussion is about. So if the list strips the signature and doesn't sign itself then John's responsibility (which he asserted) is abrogated with no acceptance of responsibility by the list owner. Is this really a general behavior that we want to promote? I ask this in all seriousness. > > We have no empirical data that the presence of a list signature AND an > author > > signature will produce the wrong results (for some definition of wrong.) > > Yeah, but clearly the author signature alone can cause what somebody > here thinks to be an imperfect result. > > I tend to agree with him. I've been stripping DKIM signatures on my > own hosted mailing lists for that reason, and also so I can modify > content on the fly without the original signature failing. > But are you (people we can have a reasonable expectation that we can somewhat trust to act responsibly) the rule or are you the exception? I think I tend to agree with Steve. Notify all parties that assert responsibility. That would include the author domain signer as well as the list if they wish to accept responsibility for mail they emit. Mike _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
