However, I could understand the source of some confusion. It is useful
to provide some level of protection of the body of a message so that a
bad guy simply can't replace a legitimate body with a bogus one and
replay the message.
Right.
The protection offered must survive mailing list software without
requiring such software to fork lift upgrade (which ain't
happening).
Ohhh, noooooo, not this again. We flogged this topic at length while
arguing DK versus IIM.
There's two separate problems with surviving mailing lists.
The first is technical: modern software does all sorts of awful things
to messages on the way through. Some list packages take apart MIME
messages and can delete unwanted parts, flatten HTML to text, and then
put what's left back together to produce a message that is
semantically the same as the original but has different part
delimiters and may not put the parts in the same order. A lot of list
software adds tags and ads to the top or bottom of the message, and
I've seen Yahoo groups edit the HTML in a message body to insert the
ad at the bottom. Yes, there are still some lists that only add an
extra Received: header, but list software is getting more aggressive
at rewriting, not less.
The other is that if you say you need for signatures to pass through a
list, that suggests a rather peculiar model of the way that lists
work, like the list will pass through all sorts of garbage and it's up
to the subscribers to sort it all out. Where I live, the list's
management takes responsibility for the list's contents. They use a
variety of techniques to verify the source of messages, from weak
checks of sender addresses to C/R challenges to passwords in the
message to, for us old farts, manual moderation. If a list is junky,
we tell the manager to fix it, we don't slap on a back end band-aid.
This works well in practice -- the amount of spam that shows up
through mailing lists is low enough that we remember individual
messages in the cases where it happened.
I think it'll be a swell idea for list software to use DKIM on
incoming messages to verify the sender, but that's the list manager's
job, not the subscribers'.
Or maybe you meant remailers and forwarders rather than lists? I think
we all agree that DKIM is intended to survive those.
R's,
John
_______________________________________________
ietf-dkim mailing list
http://dkim.org