John Levine wrote:
Signing the From: header is currently required, but suppose it weren't:
Then bad guys can take list messages and resend them with forged
return addresses and still have a valid signature. Does anyone think
this is a good idea?
Since this was quoted out of context, let me emphasize that my "suppose
it weren't" was just a hypothetical for answering Wietese's question. I
firmly believe that the From header MUST always be signed.
I think the way we all expect to use DKIM is that a message comes in,
we check the signature, then we look up the signing domain in some
sort of reputation system, be it a local whitelist or something
fancier, then if the reputation is good we accept the mail, if it's
bad we reject it, and if there's no reputation, we fall back and do
what we would have done otherwise.
Agreed.
With this model, I have a lot of trouble envisioning a scenario where
I would want list mail signed by anything other than the list. If
there is old list software that doesn't sign and it happens to pass
signed messages, fine, but if the list software is DKIM aware at all,
I want it to sign so I can recognize list mail.
If the list does sufficient damage to the message that any incoming
signature is invalid, it might as well throw away the original
signature. If it's still there, someone is likely to waste time trying
to verify it. OTOH, if a list doesn't do that much, maybe only adds a
List-ID and similar header fields, I would be inclined to keep the
original signature. I don't like to throw away things that may be
valid. This attitude is also reflected in the state of my attic.
-Jim
_______________________________________________
ietf-dkim mailing list
http://dkim.org