On Apr 1, 2009, at 8:06 AM, Barry Leiba wrote:
You might say that in that case, "the mailing list shouldn't sign
the message," since it wasn't signed before. But the mailing list
isn't signing the message -- the domain is. The domain might say
that the mailing list is properly authenticated and authorized, so I
sign. And the mailing list may have no way to vet the original
sender, one way or the other. Should *it* behave differently when
the sender who's posting is in the same domain than it does when the
sender is not?
A DKIM signature within a message will not offer information without a
validation process. Conveying validation information, as defined by
the Authentication-Results header, includes whether the signature is
valid, the d= and i= values. Domains running a mailing-list at the
same domain shared by their users will produce ADSP compliant messages
for the mailing-list as well as all the users of their domain. When
their own mailing-list does not properly handle their domain's ADSP
assertions, this can be remedied through the use of the i= values,
even when only applied with mailing-list messages, such as
"i=ietf-example(_at_)foo(_dot_)example(_dot_)com
" where "ietf-example(_at_)foo(_dot_)example(_dot_)com" is the address for the
mailing-
list.
There is actually a benefit achieved by sharing the user domain with
that of a mailing-list. This mailing-list will produce ADSP compliant
messages for users within the domain, where they would be disadvantage
by a mailing-list at a different domain. The only cautionary
information that seems important in the case of sharing a domain with
a mailing-list would be to ensure message compliance within the
domain, or/and to assert the i= values for the mailing-list at least.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html