On Tue, Jan 24, 2006 at 10:09:40AM -0500, Wietse Venema allegedly wrote:
What is not clear to me is the benefit of a mailing list signature
that is required to vouch for the authenticity of someone elses
FROM: address. I see this as a source of confusion with both users
and designers, and believe that this is a level of assurance that
not every mailing list or other forwarder can provide.
That raises a question about assumptions. Is the fact that a List
signature includes "whatever was in the From: " actually vouching for
the authenticity of that address, or is it merely vouching for the
fact that this is the content it received?
The former - I call transitory trust - worries me conceptually. The
latter seems safer and simpler.
I am concerned that the FROM: address is becoming a conceptual
bottle neck, and would like to see a solution that allows mailing
lists and other forwarders to sign mail ("as I forwarded this")
without implied claims about the authenticity of the FROM: address.
That is, the possibility of a mailing list etc. DKIM signature that
just authenticates the list or forwarder.
That's how I was viewing a List signature. It was making no claims
about the original submission apart from "these are the bits as they
arrived at the List address". If some final list recipient sees value
in the original bits, good luck to them.
If the original submission has a DKIM signature then of course that
is great. If it doesn't, then we don't know that the mail came from
that address, period. But if it has a valid list/forwarder signature,
that can still be used to enable reputation based systems.
Right.
Mark.
_______________________________________________
ietf-dkim mailing list
http://dkim.org