Douglas Otis wrote:
Removing or over-writing signatures (as reviewed in the
multiple signature section of my threat review) would ensure
the list does not expose other domains to replay abuse.
The header is user territory, end-to-end, nobody in transit
has to modify or remove a single bit in it. Add crap as you
see fit, but don't touch what's already there.
Is this some "header-rewriting-system" for DKIM ? I really
hate it. You always wanted an accoountable party for the mail
in question. You got it, it's Alice (or her provider). Don't
touch her valid signature.
all Administrative Units may wish to overwrite verified
signatures and replace these signatures with a signature
that by convention is never accepted outside the
Administrative Unit.
If they wish to create their own mails they should be so
consequent to use their own From and Message-ID. Otherwise
it could be even some legal offense (IANAL).
If the list-server has a good reputation, why does the
reputation of every subscriber to this list need to be
questioned?
I'm not interested in the reputation of the list, after all
I subscribed, so apparently I like it. I'm interested in
Alice (from Bob's POV).
Why can't the list be held accountable for their messages?
But that's pointless, if I have a problem with a list I can
talk to its owner or abuse(_at_)listserver, and if nothing works
I unsubscribe. For this scenario, a list where I'm really
subscribed.
For a wannabe-list-spammer it's different. And that's also
the time when I'm interested to check if it's really from
Alice. Or from PayPal. Or from whatever spammy says.
Why is white-listing needed?
Because the abusive list manipulated something beyond repair,
worse than the not-yet-designed new canonicalization allows.
Therefore DKIM breaks for this abusive list. Therefore I
shouldn't waste time with DKIM checks for mails from this
list, a result FAIL would be clear.
Same situation as with SPF behind 5.3.6(a). DKIM has the
advantage that there is no standard allowing to manipulate
mail DATA. It can say "this list is broken, so forget it".
Limit email-addresses to a single provider is a feature?
Sure, for those who want it. It's not for everybody - some
feel even limited by SPF, where they could enumerate as many
IPs of as many ISPs as they wish for a given domain.
Bye, Frank
_______________________________________________
ietf-dkim mailing list
http://dkim.org