On 19 May 2004, John Levine wrote:
Big problem I have with it is that yahoo domain keys breaks with email
forwarders, mail lists and roaming users (and they fully acknoledge that
it does not work with them and say there is no good work-around). That
makes it no-go as far as I concerned for initial deployment unless
changes are made.
Are you sure you read the same DK document as the rest of us?
http://antispam.yahoo.com/domainkeys/draft-delany-domainkeys-base-00.txt
Forwarding works fine if it doesn't mess with the message other than
prepending headers.
That is simplest forwarder and yes, it does work there.
Many forwarders do lot more then that unfortunetly, reseting Sender,
adding some "X-..." headers, etc.
Note also that I usually the word "forwarder" to mean just any mail relaying
server, including mail list server.
Roaming users work fine if they sign in the MUA.
Yes, if roaming user has private key. But since multiple private keys are
allowed, I'll accept that roaming user problem is not an issue with this
proposal.
Mailing lists are an issue but there are some ideas to deal with that.
To me its the biggest issue of all. Mail lists are EXTREMELY popular and
almost all mail list sofware modifies headers (sometimes changes "From"
and "To" and supposed to reset Sender and add List- headers). As such
deployment would mean that those using domain keys would not be able to
use mail lists until their software is somewhow modified to deal with
domain keys (which might take quite some time).
On Wed, 19 May 2004, Mark Baugher wrote:
You're assuming that there's no way to fix the break.
Actually no, I'm not. But knowing what domain keys would be about before
time and as such that these problems would exist, I was just hoping to see
specs that have dealt with these issues better. Perhaps I was too hopefull
and a bit unhappy that I had to read 30 pages and main details could fit
in 2 and did not solve some important problems and that yet again proposal
reused TXT record instead of propoing exact details on new dns record to
store public keys (which would be really really usefull).
Going back to maillist problem and similar, in my opinion, the way solve
these problems (when modification of email headers by intermediate MTA
would cause domain-keys verification to fail) is to have multiple
signatures for different parts of the email, with first one being
signature for content of the email (or even for each MIME part) and then
separate signature(s) for email headers with signature line that also
includes info on exactly which headers it is for, then when new headers
are added, they can be ignored when trying to verify this hash/signature.
---
William Leibzon
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg