Jim Fenton:
John Levine wrote:
Signing the From: header is currently required, but suppose it weren't:
Then bad guys can take list messages and resend them with forged
return addresses and still have a valid signature. Does anyone think
this is a good idea?
Since this was quoted out of context, let me emphasize that my "suppose
it weren't" was just a hypothetical for answering Wietese's question. I
firmly believe that the From header MUST always be signed.
I think the way we all expect to use DKIM is that a message comes in,
we check the signature, then we look up the signing domain in some
sort of reputation system, be it a local whitelist or something
fancier, then if the reputation is good we accept the mail, if it's
bad we reject it, and if there's no reputation, we fall back and do
what we would have done otherwise.
Agreed.
With this model, I have a lot of trouble envisioning a scenario where
I would want list mail signed by anything other than the list. If
there is old list software that doesn't sign and it happens to pass
signed messages, fine, but if the list software is DKIM aware at all,
I want it to sign so I can recognize list mail.
I see valid reasons why a mailing list submission would have a DKIM
signature over the FROM: address (and content etc.), by the domain
that controls the FROM: address. It provides assurance that the
mail actually came from that address.
I also see valid reasons why a list distributor or other forwarder
would place a DKIM signature over SOME header (and content etc.)
that identifies the mail as coming from that mailing list or other
forwarder. It provides assurance that the mail actually came through
that list or forwarder.
What is not clear to me is the benefit of a mailing list signature
that is required to vouch for the authenticity of someone elses
FROM: address. I see this as a source of confusion with both users
and designers, and believe that this is a level of assurance that
not every mailing list or other forwarder can provide.
I am concerned that the FROM: address is becoming a conceptual
bottle neck, and would like to see a solution that allows mailing
lists and other forwarders to sign mail ("as I forwarded this")
without implied claims about the authenticity of the FROM: address.
That is, the possibility of a mailing list etc. DKIM signature that
just authenticates the list or forwarder.
If the original submission has a DKIM signature then of course that
is great. If it doesn't, then we don't know that the mail came from
that address, period. But if it has a valid list/forwarder signature,
that can still be used to enable reputation based systems.
Wietse
_______________________________________________
ietf-dkim mailing list
http://dkim.org