Re: [ietf-dkim] Concerns about DKIM and mailiing lists

>   And, in 
> fact, many subscribers insist on that modification, even though they 
> could filter on headers such as List-ID instead.
They could filter on it, but only when it is present and when the subscriber 
knows it is present.
Unfortunately, adoption of the List-* standard is pretty erratic and I suspect 
that most users don't know about these header fields at all, unless their mail 
client has features that use them.  Most don't.
Even for clients that implement the List-* construct, creating user filters that 
are based on the List-ID field requires quite a bit of sophistication.

> One note here: the base spec COULD suggest that if the signature fails 
> to verify and the subject is signed and begins with "[", that the 
> verifier might retry after removing the "[xxx]" part.  And then, much as 
> with that part of the message that comes after the signed length, the 
> verifier must decide what to do if the retry succeeds.
Not only would that be building a heuristic into the validation portion of an 
otherwise precise security specification, it would be basing the heuristic on an 
undocumented convention that is far from universal, rather than on a a formal 
standard.

> But in the worst case, the list has simply invalidated the signature, 
> and we say that this SHOULD be considered equivalent to no signature at 
> all.  Absent SSP, this is no bad thing.
I am inclined to agree.  However the [] behavior is rather common.  So we 
probably should consider whether it is reasonable to have DKIM contain features 
that are intended to allow a signature survive mailing list transit, when we 
know that the final result will usually fail.
d/

--

Dave Crocker
Brandenburg InternetWorking
<http://bbiw.net>
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html