subject:"Bug#500966\: lists.debian.org\: should sign outbound mail with DKIM"

Bug#500966: lists.debian.org: should sign outbound mail with DKIM

2008-10-03 Thread Thomas Viehmann

tag 500966 wontfix
thanks

Hi Russell,

Russell Coker wrote:
 To prevent forgeries of mail from the lists.debian.org server I believe
 that we should have DKIM installed to sign all outbound mail.  It really
 is not difficult to do in Lenny, and it shouldn't be difficult to
 back-port the relevant packages to Etch if necessary.

I don't think it's appropriate to sign relayed mails unless we have
verified some previous signature and even then it's questionable.

Kind regards

T.
-- 
Thomas Viehmann, http://thomas.viehmann.net/



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#500966: lists.debian.org: should sign outbound mail with DKIM

2008-10-03 Thread Russell Coker

On Friday 03 October 2008 18:32, Thomas Viehmann [EMAIL PROTECTED] wrote:
  To prevent forgeries of mail from the lists.debian.org server I believe
  that we should have DKIM installed to sign all outbound mail.  It really
  is not difficult to do in Lenny, and it shouldn't be difficult to
  back-port the relevant packages to Etch if necessary.

 I don't think it's appropriate to sign relayed mails unless we have
 verified some previous signature and even then it's questionable.

The signature is not making any statement about the content of the message, 
merely about where it came from.

If a message is signed as coming from a Debian list server then I can know 
whether it was corrupted between the Debian server and my mail server.  Then 
if there is some issue as to the content I can contact the Debian list 
administrators if there is a need to track it back further.

The Gmail servers sign all mail.  Some of that mail is spam, and a lot of the 
non-spam mail is of low quality.  This does not reduce the value of having a 
signature.  Knowing that a message came from a Gmail server without 
corruption is useful, I can then assign a value on the message based on the 
reported sender.

Ideally the Debian list servers would sign outgoing mail and also sign an 
extra header which indicates the signing status of the message when it 
arrived at the Debian server.  The DKIM spec supports signing arbitrary 
headers - including X- headers.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#500966: lists.debian.org: should sign outbound mail with DKIM

2008-10-03 Thread Thomas Viehmann

Russell Coker wrote:
 On Friday 03 October 2008 18:32, Thomas Viehmann [EMAIL PROTECTED] wrote:
 To prevent forgeries of mail from the lists.debian.org server I believe
 that we should have DKIM installed to sign all outbound mail.  It really
 is not difficult to do in Lenny, and it shouldn't be difficult to
 back-port the relevant packages to Etch if necessary.
 I don't think it's appropriate to sign relayed mails unless we have
 verified some previous signature and even then it's questionable.
 
 The signature is not making any statement about the content of the message, 
 merely about where it came from.
Yeah, and the messages don't originate at lists.debian.org, they are
merely forwarded. The little I read (in the discussion of the l= length
field) seems to indicate that the designers of DKIM agree that
forwarders should not sign messages.
IMO signing arbitrary messages on forward would defeat the purpose of DKIM.
For gmail, mail actually originates with them. That's a fundamental
difference to lists.d.o.

Kind regards

T.
-- 
Thomas Viehmann, http://thomas.viehmann.net/



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#500966: lists.debian.org: should sign outbound mail with DKIM

2008-10-03 Thread Russell Coker

On Friday 03 October 2008 22:06, Thomas Viehmann [EMAIL PROTECTED] wrote:
 Yeah, and the messages don't originate at lists.debian.org, they are
 merely forwarded. The little I read (in the discussion of the l= length
 field) seems to indicate that the designers of DKIM agree that
 forwarders should not sign messages.
 IMO signing arbitrary messages on forward would defeat the purpose of DKIM.
 For gmail, mail actually originates with them. That's a fundamental
 difference to lists.d.o.

If you consider that there are only two levels of mail, signed and unsigned, 
then signing mailing list mail would be the wrong thing to do.

If you consider DKIM as a way of authenticating the origin of mail 
independently of it's value then signing all mail is the right thing to do.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#500966: lists.debian.org: should sign outbound mail with DKIM

2008-10-02 Thread Russell Coker

Package: lists.debian.org
Severity: normal

To prevent forgeries of mail from the lists.debian.org server I believe
that we should have DKIM installed to sign all outbound mail.  It really
is not difficult to do in Lenny, and it shouldn't be difficult to
back-port the relevant packages to Etch if necessary.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#500966: lists.debian.org: should sign outbound mail with DKIM

Bug#500966: lists.debian.org: should sign outbound mail with DKIM

Bug#500966: lists.debian.org: should sign outbound mail with DKIM

Bug#500966: lists.debian.org: should sign outbound mail with DKIM

Bug#500966: lists.debian.org: should sign outbound mail with DKIM

5 matches

Site Navigation

Mail list logo

Footer information