On Mar 31, 2009, at 4:36 PM, John Levine wrote:
My problem is that the semantics of the signature that the mailing
list applies shouldn't depend on whether the original author
happens to be in the same domain as the list.
Of course. That's why list mail should use a different signing
domain. It's clearly a poor idea to sign mail from lists that have
contributors in multiple unknown domains with a d= that has an ADSP
assertion
There still does not seem to be a problem. A DKIM signature allows
source differentiation.
d= foo.example.com
i=ietf-examples(_at_)foo(_dot_)example(_dot_)com
- versus -
d= foo.example.com
i=someone(_at_)foo(_dot_)example(_dot_)com
- or -
d= foo.example.com
and no i=
The foo.example ADSP assertion "all" only determines whether the
domain's messages are initially signed. The i= value must still be
used to differentiate messages emanated by the mailing-list or by some
user within the domain. When the i= value is allowed to default, the
intra-domain source of the message can not be determined. What
problem specifically is created or what exploit risk does this create?
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html