> -----Original Message----- > From: [email protected] [mailto:ietf-dkim- > [email protected]] On Behalf Of Ian Eiloart > Sent: Thursday, September 16, 2010 6:20 AM > To: Hector Santos; [email protected] > Subject: Re: [ietf-dkim] draft-vesely-dkim-joint-sigs >
<SNIP> > > I don't think so. The original signature should only sign the DKIM- > required > and From headers, and perhaps enough other headers to reduce utility of > replay attacks. Importantly, they should only sign parts that are likely > to > be unbroken by the MLM, thus satisfying ADSP requirements. However, the > recipient knows that a valid signature from the MLM is required, too. > Thus, > the original DKIM signature is only valid for messages going through the > list - off list replay isn't possible. On-list replay can be limited by > ALSO including a full DKIM signature, for the list to check before > redistributing. > > Ian, this makes no sense to me. If a signing domain is concerned enough to choose to implement ADSP, why would they reduce what they are signing to accommodate a small percentage of their mail going to MLMs that they may or may not be able to identify? I don't remove the locks on my doors because there is a possibility that someone might break one of my windows. I've said it before and I'll say it again. MLMs are the tail, not the dog. Don't wag the dog. Mike _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
