Re: [ietf-822] WSJ/gmail/ML, was a permission to...

On 5/4/2014 11:07 PM, Russ Allbery wrote:
> Ned Freed <ned(_dot_)freed(_at_)mrochek(_dot_)com> writes:
>
> > Now, it's entirely possible that it will be done in a way that leaves
> > DMARC intact. But it is also possible that it will be done in ways that
> > leave DMARC in tatters.
> > And I for one am having a lot of trouble mustering up any sympathy if we
> > end up with the latter.
> +1
>
> Right now, I consider breaking DMARC signatures to be a feature, not a
> bug, and am acting accordingly in the maintenance of my mailing lists.
> Users who want reliable mailing list service can use a non-broken email
> provider.
>
> If we come up with something better, I'm happy to consider it.  But I'm
> not going to jump through hoops, or rewrite messages in broken and
> deceptive ways, just because Yahoo and AOL had a security problem that
> they want to externalize to the rest of the Internet.
But its everyone's security problem, Russ.  The List Service Provider 
(LSP) just felt it more now when the high volume of DKIM+POLICY usage 
switched was finally enabled.  It was always a known possibility by 
design to offer strong filtering for self-signing 
exclusive/restrictive policies. The LSP has refused to adjust to a 
long time mail integration change need.  It wanted to add raw 
DKIM-BASE for resigning, but it didn't want the baggage that it came 
with with author domain policy lookups or for any signer domain lookup 
methodology for that matter. This second layer simply hasn't 
materialize.  No one (other mail software vendors) wants to add the 
logic to Check Signing Practices from either the AUTHOR or the SIGNER.
Go figure.

--
HLS


_______________________________________________
ietf-822 mailing list
ietf-822(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-822