> -----Original Message----- > From: [email protected] [mailto:ietf-dkim- > [email protected]] On Behalf Of MH Michael Hammer (5304) > Sent: Friday, April 23, 2010 11:22 AM > To: Al Iverson; [email protected] > Subject: Re: [ietf-dkim] Why mailing lists should strip DKIM signatures > > The fact that it is easier does not make it correct - doesn't > necessarily make it incorrect either - that's in part what the > discussion is about. So if the list strips the signature and doesn't > sign itself then John's responsibility (which he asserted) is abrogated > with no acceptance of responsibility by the list owner. Is this really > a general behavior that we want to promote? I ask this in all > seriousness. > > [...] > > I think I tend to agree with Steve. Notify all parties that assert > responsibility. That would include the author domain signer as well as > the list if they wish to accept responsibility for mail they emit.
If I'm running a mailing list and I get a piece of signed mail, I'm certainly not removing its signature. The signer's reputation should suffer if people complain, or benefit in the absence of a complaint. My lists are (theoretically) generally clean, so I trust that over the long term my domain maintains a good reputation. A receiver can therefore run both signatures, detect that one is bad (or unknown) but the other has a history of good content, and then make an appropriate conclusion. I wouldn't want to remove that information from a receiver. Even without thinking of the FBL issues, I would want a reputation systems to be fully informed about a candidate system rather than only partially informed. I spoke to a couple of people about this in Anaheim: A way of using DKIM and Auth-Results to establish a definite chain of custody of a message would be highly useful. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
