On May 1, 2014, at 12:54 PM, John Levine <johnl(_at_)taugh(_dot_)com> wrote:
author's site. That shouldn't require the mailing list to communicate
with the author's site, but it might require the author's site to get
something from the mailing list's site.
That seems overcomplicated. Just make the expiration time fairly
short, since it's a rare mailing list that takes more than a day to do
its thing.
Perhaps it's time for a more concrete proposal to be written down.
It occurred to me that there's a very simple way to do this:
http://datatracker.ietf.org/doc/draft-levine-may-forward/
Dear John,
Thank you for taking time to create this draft. It seems to meet Pete's
expectations. As suggested, it also provides a repository of replay-able
cryptographic tokens aimed at defeating both DMARC and DKIM protection when
used in a timely fashion. Should all mailing-lists hold DMARC protected
messages until DKIM signatures expire? Perhaps even add warnings in the
friendly name that such messages are only intended for third-party services.
Author Domains still need to signal their understanding of the message's
destination. Not really any different from TPA, but TPA does not impact how
mailing-lists or other third-party services work, or potentially defeat
protections of other messages, or change the signatures being applied. At
least, this draft suggests the Author Domain cares about the harm their DMARC
policy might cause. Setting p=quarantine seems much easier.
Regards,
Douglas Otis
_______________________________________________
ietf-822 mailing list
ietf-822(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-822