I don't see any replay protection in here at all. Nothing that says to keep
the signature expiration relatively short, and nothing which a mailing list
recipient could not subsequently use to send spam. The first issue just needs
a mention. It's the second issue that needs to be addressed IMO:
Yeah, that occurred to me about five minutes after I posted it. Here's a
tweaked version where the mf tag is now mf=list.domain, with handwaving
about how a may-forward signature doesn't count unless there's also a
signature from the list domain. Given lengthy discussions about how
little abuse comes from real mailing lists, that'd probably be adequate.
http://datatracker.ietf.org/doc/draft-levine-may-forward/
I wouldn't bother with what you've proposed.
Neither would I. Whitelisting solves this problem far better.
Regards,
John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
ietf-822 mailing list
ietf-822(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-822