Re: [ietf-dkim] Concerns about DKIM and mailiing lists, etc.

> We are concerned about phishing attacks against Cisco employees via 
> spoofs purporting to come from Cisco itself.
Oh, OK, then your trusted signer list includes cisco.com.  (Until a bad 
guy uses a zombie inside your firewall to send signed cisco.com phishes, 
but you can pretend to be surprised when that happens.)
> By signing all our mail and having a policy that we sign all our mail,
> we can be reasonably certain that mail without a valid signature isn't
> from Cisco and annotate the message accordingly. This works just fine
> with the exception of mailing lists.
How many phishes have you ever seen that were sent through mailing lists? 
I've seen precious few, and in the unlikely event that it becomes a 
problem, list managers will have to deal with it, not just for Cisco. 
They'll doubtless deal using other tools than DKIM since it'll be a long 
time until DKIM is widely enough used to be any list's primary validation 
tool.
> From what I can tell right now, for the "typical" mailing list, it's 
> going to validate.
Mail from this list won't validate, you know, and I doubt that many others 
will, but I know I'm not going to make any headway in that direction.
In any event, Cisco will have to decide whether the actual cost of 
forbidding their employees to participate in lists that break signatures 
outweighs the theoretical benefits of blocking list-borne phishes.  If it 
does, you might consider adding known well-behaved list hosts to your 
trusted signer list.  I suspect you won't have to compile that list on 
your own, since we all plan to add them to our lists, too.
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet for 
Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html