ietf-822
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-822] Aptness of DKIM for MLs

2014-05-09 11:40:45
from [S Moonesamy] [Permanent Link] 
Hi Alessandro,
At 03:23 09-05-2014, Alessandro Vesely wrote:

No, it doesn't.  It broke elandsys' signature, but check tana's
signature on this message.  (I send this to ietf-822 only, to avoid
any confusion.)
The verifier at my end validated the ietf.org signature instead of the tana.it signature. 


So it seems I could publish a strict DMARC policy right now, and cause
minimal disruptions.  However, some verifiers (NetEase) consider
tana's h= inadequate, see "objection" below.

> Gratuitous changes to a mailing list message is a matter of
> opinion.

Well, not exactly.

For corrections, section 6.4 of RFC 5321 is rather clear that
submission servers MAY, while intermediate relays MUST NOT, apply
certain changes.  So the range where opinions may vary is whether an
MLM is to be considered akin to submission servers or relays.

By /gratuitous/ changes, such as adding/removing double quote marks, I
mean unnecessary embellishments that were already disputable before
DKIM took root.
I thought that you mean subject tagging, etc. If the objective is to ensure that an MLM does not make any change it is easier to say "MLM must not make any change as that will break X" instead of looking for a clause to justify whether any change is appropriate. 


Yes, much of this discussion was recited at the time of ADSP, for
example http://mipassoc.org/pipermail/ietf-dkim/2010q3/013829.html

The most relevant objection to weak signatures is why would domains so
concerned about security as to publish a strong policy weaken their
DKIM signatures?  A solution is to do so for ML messages only.


Yes, it would weaken the DKIM signature.


To recap, assume a domain has a DB of (user, mailing list) pairs which
defines ML traffic.  Messages to ML are then sent in separate SMTP
transactions and weakly signed.  MLMs sign those messages in turn,
using strong signatures.  Verifiers derive the validity of MLM domains
by comparing d= against To: or Cc: mailboxes.

Besides minor refinements, the major bar is to build that DB.  I
proposed to do it manually for starting, and then find out how to
automate its maintenance.
I'd say try it. :-) You may have to convince the people writing the software to make changes. That's usually the difficult part. 

Regards,
S. Moonesamy 
_______________________________________________
ietf-822 mailing list
ietf-822(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-822
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-822] Aptness of DKIM for MLs, Alessandro Vesely
Next by Date:  Re: [ietf-822] Aptness of DKIM for MLs, Hector Santos
Previous by Thread:  Re: [ietf-822] Aptness of DKIM for MLs, Alessandro Vesely
Next by Thread:  Re: [ietf-822] Aptness of DKIM for MLs, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]