Suppose that ietf.org asserts an ADSP record but doesn't require
signatures on incoming messages, even from its own domain (there's no
requirement that they do). Someone spoofs a message from
chair(_at_)ietf(_dot_)org, which is of course unsigned. The message coming
out of
the list looks like it has an author signature. I have a problem with that.
Ooh, DKIM vs. list managers again.
I don't think that anyone other than the management of ietf.org gets to
decide what their signing policy is. There are zillions of ways that
mailing lists decide what gets posted to a list. If you like their list
management policy, you can trust their signatures. If you don't, you
don't.
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
"More Wiener schnitzel, please", said Tom, revealingly.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html