John says...
Ohhh, noooooo, not this again. We flogged this topic at length while
arguing DK versus IIM.
:-)
I think it'll be a swell idea for list software to use DKIM on
incoming messages to verify the sender, but that's the list manager's
job, not the subscribers'.
Right. The idea, as I put it once, was that "If you break it, you
bought it." Put less colloquially, if a mailing list that knows it's
going to mangle the message receives a DKIM-signed message, it should
1. Verify the signature.
2. Apply whatever reputation service, white/black lists, spam
filtering, etc that it wants to, to decide whether the message should
pass on to the mailing list.
3. If it decides that it should pass, the mailing list should LEAVE the
existing signature (that part is not universally agreed on, of course,
but the next part is), mangle the message, and re-sign it (which is not
the same as being resigned to it).
The mailing list may, of course, choose to re-sign the message even if
it does not mangle it, which is all the more reason to leave the
original (still-valid) signature there.
Or maybe you meant remailers and forwarders rather than lists? I
think we all agree that DKIM is intended to survive those.
Yea, verily, 'tis.
Barry
--
Barry Leiba, Pervasive Computing Technology
(leiba(_at_)watson(_dot_)ibm(_dot_)com)
http://www.research.ibm.com/people/l/leiba
http://www.research.ibm.com/spam
_______________________________________________
ietf-dkim mailing list
http://dkim.org