On Sep 10, 2010, at 10:14 AM, Todd Lyons wrote:
On Fri, Sep 10, 2010 at 6:50 AM, McDowell, Brett
<bmcdowell(_at_)paypal-inc(_dot_)com> wrote:
Ugh! We simply have to fix the root cause of MLM's breaking DKIM
signatures.
Disagree. This would then mean MLM messages become visually similar to
messages from individuals.
I didn't mean to suggest MLM's should stop doing the things they do that
breaks DKIM signatures. I'm actually a fan of the A-R header (or perhaps a
new one) approach -- used in a clear (profiled?) way -- so MLM's can assert
to receivers that they verified the senders signature before processing and
re-signing it.
As an end receiver though, I certainly wouldn't trust an A-R header
that someone else put in during transit saying that it verified from
$BIG_COMPANY. That can too easily be forged. Now if that A-R header
was part of your DKIM sig or the header had a brief sig field that
could be tied back to your DKIM sig, it would become eligible to be
regarded as trustworthy (but not necessarily guaranteed to be so).
That's what I meant by "the A-R header (or perhaps a new one) approach". To be
more clear:
(1) sender sends DKIM-signed mail to typical mail list
(2) typical mail list verifies DKIM signature of sender
(3) typical mail list processes the message (adds it's footer, updates subject
line, etc.) and updates the A-R header info stating it verified signature of
sender
(5) typical mail list then DKIM-signs the entire message and delivers it to all
subscribers
(6) receiver verifies the mail list's DKIM signature, reads the claim in the
A-R header, makes a trust decision, and then processes the message as it would
if it had come directly form the sender (i.e., if it was ADSP=discardable it
would actually deliver the message because of the "chain of trust" from the
sender to the MLM to the receiver)
note: it's more complicated than this as more intermediaries may exist between
sender and MLM or MLM and receiver, but the concept remains in tact and between
DKIM and A-R the technology standards exist to implement this kind of ecosystem
(we may need a profile of A-R or a new header, something we should debate
sooner than later).
-- Brett
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops