Re: [ietf-dkim] Re: "I sign everything" yes/no

On Sun, 26 Nov 2006 09:14:36 -0000, Eliot Lear <lear(_at_)cisco(_dot_)com> 
wrote:

> Jim,
>
> I agree with what others have said, that the netnews, two way pager  
> gateways, and mailing lists are all substantially the same, except for  
> one key thing: in the case of mailing lists it WILL be possible in some  
> way for those systems to preserve the signature, should they so choose.
The one important difference, from our POV, between netnews and mailing  
lists, is that mailing lists get their input by email, and hence it will  
likely come already signed.
Not so with Netnews, and not so if the netnews article is then gatewayed  
into some mailing list. And the problem there (and the only one this WG  
might need to think about wrt Netnews) is that this can then cause a leak  
of unsigned messages from domains that claim to "sign everything".
> That leaves the cases.  Here, the simple answer is that a message must  
> make it TO the originating domain to be signed.  That's a change, but  
> not a huge one from my perspective.
It seems a helluva big change to me.

All email leaving sign.all.example gets signed. So far so good.

But news articles posted from sign.all.example don't get signed, because  
they depart via NNTP rather than SMTP.
The unsigned article arrives at news.gateway,example who wants to submit  
it, as an email, to somelist(_at_)lists,gateway.example. Now you are saying  
that it has to be routed somehow from news,gateway.example, via  
sign.all.example, to lists.gateway.example. How are you going to do that,  
given that it needs the cooperation of sign.all.example which has never  
even heard of gateway.example, which is propably on a different continent  
anyway?
Here are all the possible solutions to this problem that have been  
suggested so far:
1. Employees at sign.all.example are FORBIDDEN to post News articles.

2. The admins at sign.all.example arrange to sign all outgoing NNTP  
traffic. Not envisaged by any standard, but it will work OK.
3. Either news.gateway,example or lists.gateway,example resigns the  
article. Will the verifiers of the ultimate recipients regard that as  
acceptable? Depends on the reputation of gateway.example.
4. Either news.gateway.example or lists.gateway.example treats the  
gatewaying operation as a Resend, and add appropriate Resent-* headers.  
And probably resigns it as well. Will that make the verifiers of the  
ultimate recipients any happier? I am doubtful, but I have not yet seen a  
clear description off what Resenders are supposed to do. And it is NOT  
customary (it is even deprecated) for list expanders to add Resent-*  
headers.
5, News.gateway,example somehow arranges the article to take a trip via  
sign.all.example to pick up a signature, as you appeared to be suggesting  
above. Fine, if you can arrange for it to happen.
Assuming we can form some opinion on the relative merits of these  
approaches, where should we report that? The overview document, I should  
think, or wherever we report on what mailing lists should do. Our charter  
says:
    The specifications will also advise mailing lists on how to
    take advantage of DKIM if they should choose to do so.

I think it is a reasonable extrapolation from that to consider gateways  
from Netnews to mailing lists at the same time, because of the  
similarities and differences between the two cases as discussed above. But  
I woulddn't want to consider Netnews any further than that limited topic
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html