On January 18, 2006 at 10:20, Douglas Otis wrote:
Modifying the message is already a common practice by list-servers
and resigning a modified message may not overcome restrictions
imposed by a From email-address policy.
I wonder if there are any legal ramification of modifying messages.
It is common for list software to modify messages, but one could
consider this a violation of copyright law. If DKIM gets deployed,
legal ramifcations may become more probable.
In the dkim-options draft, rather than restricting an email-address,
the goal was to identify unique sources and highlight recognized
correspondents. This included the ability to assert a signing role
such as mediator, as in the case of a list-server. Adding a signing
role avoids difficulties in classifying the nature of the source and
may squelch conflict notifications.
Would specifying which field a signature is asserting a role against
be sufficient? For example, an originating domain may assert against
the originating header fields From, Sender, and/or Reply-To. A mailing
list could assert against the List-ID and possibly any other List-*
header fields.
Note, this does not preclude a signer from including any header field
in the signature. The role assertion only designates which header
fields it is applying a role to. This way, a mailing list can add
a signature w/o interfering with any SSP of an originator.
Taking the way SSP is defined now, it only needs to be examined
wrt the From field if a signature asserts a role against it. I.e.
Assertions against a known originating field (as defined in RFC-2822)
warrant an SSP check. This will allow domains to apply DKIM signatures
on messages without worrying if the domain associated with the
originating address disallows third-party signatures since such signatures
contain no assertion against an originating header field.
Note, this does not address your [Doug] overall concerns about SSP,
but only the security problems of allowing third-party signatures as
SSP is currently defined.
--ewh
_______________________________________________
ietf-dkim mailing list
http://dkim.org