Byung-Hee HWANG wrote:
Totally i agree with you. Actually ADSP depends on DKIM signature
specification reexamining now, i think.
One question I am still wondering about is whether this reexamination
is justified. I think the complexity is what it always was:
Whether or not and how middle ware (3rd parties) deals
with signed or unsigned mail.
A good example is how a MLS (Mail List Server) is molding how ADSP and
DKIM should be redefined. The trouble is that it can be half-baked,
it may only look at it from one side but not the other side. A MLS,
like the one that servers this IETF-DKIM mailing list, is stripping
any DKIM-signature, resigning all mail distribution.
On the one side, the GOOD side, it may be legitimate to do this. But
what about the BAD side, is it going to ignore that?
For example, a domain has a DKIM=ALL policy. I think that means
anyone can sign but it must be signed.
On the good side, the DKIM-aware MLS, an inherent data destruction
middle ware, will strip and resign it. The mail remains signed and it
is valid too. Thats good.
On the bad side, someone tries to SPOOF the domain by sending mail to
list and its not signed.
The question is whether DKIM-aware MLS going to honor the DKIM=ALL and
reject this spoof or continue with the resigning and distribute the mail?
There is also a presumption the MLS will first validate the original
signature before it continue with the resign.
We author a MLS too and this is the type design change implementation
questions I have. IMV, the DKIM-aware MLS needs to first honor the
possible ADSP, if any, before it decides to blindly resign all mail.
Crossing all the tees and dotting all the eyes.
--
Sincerely
Hector Santos
http://www.santronics.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html