When I receive an email from DKIM mailing list, I know that it may contain messages from Dave Hector John Doug et all but in my mind the from is DKIM mailing list. The only dkim sig I am interested in is [email protected] and if I bothered to check adsp for [email protected] I wouldnt waste time checking any other signatures/adsp assertions from participants as I see a mailing list as an aggregator. If I was designing mailing list software I would strip any incoming headers that made any assertions about the authors, sign the pile with my dkim sig and forward as designed. I would be asserting that [email protected] is the author/aggregator not a forwarding service. Trying to have 3rd party in a hands off transaction assert or check that the authoring party may be who they say they are and making decisions upon adsp discardable that may or may not be valid is beyond any sensible solution. thanks, now back into lurk mode Bill
On Aug 3, 2010, at 6:03 AM, Rolf E. Sonneveld wrote: > On 08/03/2010 02:36 AM, John Levine wrote: >>> The proposal is to preserve the original message + DKIM signature and to >>> add the new (probably partially rewritten) output message, combined into >>> a multipart/alternative structure. The combined message is sent by the >>> MLM to the recipient. >>> >> Once again, I can only see this as screwing up the 99+% of users for >> whom the lists work just fine for the<1% who consider themselves so >> important that they need to mark their list mail with ADSP. >> > > I did not have ADSP in mind when writing this proposal. Let me be clear > about ADSP: IMO domains that publish adsp=discardable and yet send mail > with that domain via mailing lists, get what they deserve: problems. > >> Imagine you're a list manager. Your list has 1000 subscribers. Two >> of them demand that you do something to prevent address forgery due to >> forged unsigned messages, a problem that you have never observed to >> happen on your lists. What do you do? I know what I'd do. >> > > In a nutshell the problem of the combination DKIM + MLM can be > summarized (and simplified) as follows. > > On the plus side: > > 1. the mail that is received by a subscriber to a mailing list carries > (most of the time) the original From. > 2. the original DKIM signature can still be present in the message (if > we recommend the MLM authors to not remove DKIM-Signatures) > > However... > > 3. the MLM rewrites the Subject (in many cases) > 4. the MLM adds a footer (many cases) > 5. see par. 3.3 of Murrays draft for more things MLMs do to messages > > That means, we have a signature + From, but we no longer have a reliable > copy of the message to verify them. > > 6. we can tell the MLM authors to change their code to no longer do 3., > 4. and 5. but, as Murray describes in par. 3.4: > > <quote> > However, the practice of applying headers and footers to message > bodies is common and not expected to fade regardless of what > documents this or any standards body might produce. > </quote> > > With this situation in mind, I wrote my proposal, to provide the > verifier on the receiving side with a means to verify the original DKIM > signature. > > /rolf > _______________________________________________ > NOTE WELL: This list operates according to > http://mipassoc.org/dkim/ietf-list-rules.html _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
