On May 22, 2009, at 6:53 AM, Eliot Lear wrote:
l= provides a benefit when the SIGNERS sign, and mailing lists DON'T
DISTURB. This does happen, although we can debate how often. The
key point is that if the mailing lists employ an anti-spam check and
resign, there is probably no need for l=. This to me means that l=
should be viewed as a Time To Market function to have more valid
signatures out there, and is best obviated by deployment of DKIM in
mailing list software. That's happened in some place, but not enough.
I stand by my point that it is perfectly feasible to mitigate any
risks that l= introduces. But. Those risks DO have to be mitigated.
So here's where I come down: nuke l=, but get the mailing list
software people to sign. The big one I would want to tackle is
MailMan.
Why limit the l= discussion to messages being changed made mailing
lists???
Mailing lists will not affect often phished transactional email where
retaining valid signatures is far more important. It is too soon to
conclude how DKIM is best used. Many recipients will receive messages
with various bits of text added, such as ads which may unsafe,
especially when iFRAMEs are commonly inserted into websites. Removing
the l= parameter will ensure DKIM is unable to cope with this
situation and DKIM signatures will fail to provide the desired
protection. People may even expect DKIM signatures to fail whenever a
notice is added. This creates an obvious mode for phishing by adding
fake notices.
Not all providers check DKIM signatures. To improve DKIM coverage, it
could become important for MUAs to remain able to bridge protection
gaps and deal with typical environments, and indicate appended
information.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html