On Wed, 03 Jun 2009 14:58:06 +0100, John Levine <johnl(_at_)iecc(_dot_)com>
wrote:
The most common use of A-R will likely involve a secure channel
between the place where it's applied and the place where it's
interpreted, e.g., it's applied at a border MTA and it's interpreted
in a downstream MTA or MUA within the same network. In that case, you
don't need a signature.
Agreed, but that is not the situation of concern.
If you imagine that there are strangers elsewhere in the world who
would be impressed by your opinion of a message you were forwarding,
you might want to sign it, but as I've noted before, if you're
forwarding it and mutating it enough that recipients wouldn't use an
incoming signature (i.e., you're a mailing list) you'd best take care
to send and sign only mail that recipients are likely to want.
A competent mailing list admin would reject all messages from dubious
sources. But it would be foolish to assume that all such admins are as
competent as we would wish. So the mere fact that they (re)sign messages
does not prove their origin, except insofar as you are prepared to have
confidence in their competence.
If they try to bolster your confidence in them by offering an A-R header
to show their diligence in eliminating dubious messages, then that is well
and good, but if they are unwilling to put their signature where their
mouth is, then why should I be impressed? I don't see why you would choose
to regard me, as a member of your mailing list, as some "stranger
elsewhere in the world".
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html