ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Re: DKIM and mailing lists

2006-01-21 08:07:00

From: "Frank Ellermann" <nobody(_at_)xyzzy(_dot_)claranet(_dot_)de>


So far it was my impression that DKIM tries to establish some
accountability as near to the "originator" as possible.  As a
simple rule that's "if it already has a valid signature, don't
touch it".

As an author of a list server, I prefer to STRIP the signature when
allowed to avoid tampering with the many options already offered to the
list owner.

From the point of view of the message author, the signed message sent to
the list agent has already reached it final destination and has
accomplished its goal of a secured transaction.  At this point, the list
owner takes over.

What that means that in order to be consistent with the SSP protocol, it
should only be abled to do this for:

         NONE (no policy)
    o=?  WEAK (signature optional, no third party)
    o=~  NEUTRAL (signature optional, 3rd party allowed)

The LS server will:

 NONE,    do not sign message
 WEAK,    strip, do not sign
 NEUTRAL, if any strip/replace if he wants to resign it.

This is the only way the protocol integrity will be maintained when the
submitted message is expanded and distributed to downlink DKIM
receivers.

Fortunately there's no such thing as "sign some - third party
never" in SSP, so at least for unsigned mails the situation is
clear for DKIM-aware lists.

What about the WEAK (o=?) policy?

I am operating under the assumption that people's input, including Arvel
Hathcock who suggested the WEAK policy are taken seriously and will be
added the updated DRAFT SSP.

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com



_______________________________________________
ietf-dkim mailing list
http://dkim.org