----- Original Message -----
From: "Michael Thomas" <mike(_at_)mtcc(_dot_)com>
To: <arvel(_dot_)hathcock(_at_)altn(_dot_)com>
So if I set a policy of "I sign all", and a mailing list mangles it,
what exactly is the mailing list receiving the bounce going to
do? Blackhole it? Bounce the user off the list? Anything useful
whatsoever?
We develop an MLS so I can provide my our integration design considerations
done.
It depends first if the MLS is DKIM compliant. If not, normal MLS
processing is done, which may of course promotes the #1 DKIM concern -
breaking the integrity of the message.
For the DKIM compliant MLS, then in order to "better" support DKIM, some
major consideration has to be done. Some considerations were written in
DSAP:
3.3. Mailing List Servers
Mailing List Servers (MLS) applications who are compliant with DKIM
and DSAP operations, SHOULD adhere to the following guidelines:
Subscription Controls
MLS subscription processes should perform a DSAP check to
determine if a subscribing email domain DSAP policy is restrictive
in regards to mail integrity changes or 3rd party signatures. The
MLS SHOULD only allow original domain policies who allow 3rd party
signatures.
Message Content Integrity Change
List Servers which will alter the message content SHOULD only do
so for original domains with optional DKIM signing practices and
it should remove the original signature if present. If the List
Server is not going to alter the message, it SHOULD NOT remove the
signature, if present.
In short, there were three design questions here:
- Will a domain who wants to sign all mail even want to send
his mail into a mailing list that is not DKIM complaint?
You are assuming this is desirable.
- Will then DKIM compliant MLS even want to accept the
responsibilty for handling the incoming domain mail with
restrictive policies?
The MLS will only want to do 3rd party signing, so it would
only be ideally work with policies that allow 3rd party signing.
- and will then DKIM compliant MLS even to allow the subscription
from email domains restrictive policies?
To mininize failure, a pre-emptive approach is a great feature
for the MLS DKIM implementator. I see this an feature for
the software. So the docs should only provide hindsight.
If you believe MLS should be able to sign all mail itself without
restriction, then without a doubt this will help mold (cut down) the
available policies for DKIM. This is what you want, I believe.
But again, this assumes that domains will even want to send these types of
high-value domain mail to a mailing list, and without a 3rd party signing
restriction, you open the door for abuse because you will never know for
sure if it really come from a MLS or some other middle-man exploitation.
You lose confidence in the DKIM signing practice.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html