----- Original Message -----
From: "Steve Atkins" <steve(_at_)blighty(_dot_)com>
To: "IETF DKIM WG" <ietf-dkim(_at_)mipassoc(_dot_)org>
Ah, I misunderstood. Your concern is that some mail transports,
including mailing lists, will invalidate a messages signature,
causing it to be unsigned.
That's certainly true, though I see it more as an example of
the futility of expecting DKIM, and anything based on it,
to be able to decide between "this is authorized mail" and
"this is unauthorized mail" rather than between "this is
authorized mail" and "I don't know whether this is
authorized or not".
Practically, as we knew since the beginning, the main problem is with the
middle ware such as list servers, mail bots, etc, that offer the highest
potential for damage.
The more direct transports will probably survive because for the most part,
most systems, the BCP is to honor the passthru concept. In fact, as a side
note, there is legal precedence and a current appeals court case dealing
with this very concept of "who owns passthru mail." (ISP was screwing around
with routed mail for anti-competitive reasons and was sued based on US EPCA
grounds; lower court ruled in favor of the ISP, but most experts agreed it
was a wrong decision based on decades old tradition. It is under appeal and
most legal experts believe it will be overturned).
So with normal email, I'm sure there are the exceptions, I have little or
less concern as it should naturally and expected to work.
But with list servers, that's a different story and since we are so intent
in making it work or "fit" with list servers, well, I can only express what
we would need to do in changing our software to accommodate this DKIM
engineering request.
The main issue with the list server problem is the "cry wolf" syndrome and
the inevitable high potential to ignore DKIM signature simply because they
will have a high rate of failure in mailing list. Isn't this what happen
with SMIME/PGP mail? Whenever I see a OUTLOOK popup saying this message has
failed SMIME, I pretty much ignore it. I asked the mail author why he is
sending SMIME signed mail via a mailing list if its going to fail all the
time? What's the point? What happens if some bad guys spoofed him with
HTML virus mail? The "cry wolf" dilemma now has the potential to hurt me.
If the MLS was supportive and added 3rd party signatures, then we simply
need to work out the consistency of what it means in regards to the original
domain.
This is the other source of conflict in the group:
uncontrolled vs. controlled 3rd party signers.
I think once we get pass that hurdle, we are pretty much covered as best as
we can do it.
So overall, I think its doable but it will also mean the original domain
itself has to be more aware and responsible of what it is doing by adding
DKIM into its mail system.
Thanks
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html