Michael Thomas wrote:
Dave Crocker wrote:
With DKIM, they will be in "violation" of an Internet standard insofar
as they corrupt a legitimately signed piece of email, and preserve the
From: address. To a receiver, there is absolutely no difference
between that case and the case that we'd like to guard against,
namely spoofing of From: addresses.
Oh. Really?
Yes, really. It is explicitly part of SSP and the From: binding.
1. SSP is not a standard (yet) and there is agreement that it is not all that
mature. Hence, we cannot yet know what changes are going to be made to it.
Given the nature of discussions about SSP, the changes could reasonably be
expected to be considerable.
2. When SSP does emerge, its use is not going to be required for all DKIM
signing, nor should it be.
Folks seem to be viewing aspects of SSP as if they were a) already resolved, and
b) part of the core specification, rather than incremental to the base.
The base specification has exactly one bit of normative text involving mailing
lists (5.5 Computer the Message Hash). It does not say anything relevant to
the assertions you are making.
Where is the standard that says that a mailing is is required to
preserve specific pieces of information from a message posted to it?
Folks keep forgetting that a mailing list agent is a user agent. User
agents can do whatever they want, absent formal specifications to the
contrary.
And user agents can also spoof From: addresses in hopes of
getting Big Bux(tm) from unwary receivers. What's your point?
My point is that you are a) confusing legitimate behavior with nefarious
behavior, and b) confusing formal specifications with common practice within a
relatively narrow community.
We're trying to limit that degree of freedom by introducing
cross domain authentication to the mix. Mailing lists are
caught in the middle of this because they look for intents
and purposes the same as the bad actors we'd like to put
into a smaller box.
I do not understand what you mean.
The fact that some things they find useful might have an impact on
DKIM's ability to be forwarded is unfortunate, but is a long way from
illegal.
"Illegal" is a loaded term.
Violate the standards. Contrary to, or forbidden by, law.
We are in a standards arena, so I think it entirely reasonable to distinguish
between formal requirements versus anything else. What you say is 'loaded' I
say is 'precise and accurate' for a standards discussion.
d/
--
Dave Crocker
Brandenburg InternetWorking
<http://bbiw.net>
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html