-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org [mailto:ietf-dkim-
bounces(_at_)mipassoc(_dot_)org] On Behalf Of MH Michael Hammer (5304)
Sent: Friday, April 23, 2010 11:22 AM
To: Al Iverson; ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] Why mailing lists should strip DKIM signatures
The fact that it is easier does not make it correct - doesn't
necessarily make it incorrect either - that's in part what the
discussion is about. So if the list strips the signature and doesn't
sign itself then John's responsibility (which he asserted) is abrogated
with no acceptance of responsibility by the list owner. Is this really
a general behavior that we want to promote? I ask this in all
seriousness.
[...]
I think I tend to agree with Steve. Notify all parties that assert
responsibility. That would include the author domain signer as well as
the list if they wish to accept responsibility for mail they emit.
If I'm running a mailing list and I get a piece of signed mail, I'm certainly
not removing its signature. The signer's reputation should suffer if people
complain, or benefit in the absence of a complaint.
My lists are (theoretically) generally clean, so I trust that over the long
term my domain maintains a good reputation. A receiver can therefore run both
signatures, detect that one is bad (or unknown) but the other has a history of
good content, and then make an appropriate conclusion. I wouldn't want to
remove that information from a receiver.
Even without thinking of the FBL issues, I would want a reputation systems to
be fully informed about a candidate system rather than only partially informed.
I spoke to a couple of people about this in Anaheim: A way of using DKIM and
Auth-Results to establish a definite chain of custody of a message would be
highly useful.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html