Frank Ellermann wrote:
Okay. I'd say that lists _changing_ 2822 header fields are
at best utter dubious, and that DKIM shouldn't waste too much
time with broken list software. Why not simply promise to sign
the List-ID in the SSP of the list ?
A lot of list software is broken then, including this mailing list,
since it changes the Subject in many cases.
If you're talking about lists with their own SSP. But I don't
see how that could help if a bad actor claims to be a list, and
to send mail "from" ebay. Somehow the SSP of ebay must be able
to say "lie" no matter what the phisher-disguised-as-list does.
Including the List ID in a signature where the address of the signature
(i=) corresponds to the name of the list is a good way to assert that
the signature is from a mailing list. But as you point out, without
some other information that a particular address is, in fact, a
bona-fide mailing list, it could be anyone just posing as one.
-Jim
_______________________________________________
ietf-dkim mailing list
http://dkim.org