-----Original Message-----
From: John R. Levine [mailto:johnl(_at_)iecc(_dot_)com]
Sent: Friday, April 23, 2010 4:04 PM
To: Murray S. Kucherawy
Cc: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: RE: [ietf-dkim] Why mailing lists should strip DKIM signatures
I am about 99% certain that the FBL reports that started this
discussion
were either a guy who wanted to unsub from the list, or he reported his
whole inbox. Nearly all of the FBL reports I get are one or the other,
but this was the first time I got them for someone else's list. As I
believe I said, it didn't break anything here, but it was a useless
transaction, and for a small site like mine that has users who belong
to a
lot of lists, it could easily dominate FBL traffic.
Unfortunately I expect there to be a level of noise to which we'll just have to
become accustomed. This is probably already true in the FBL world anyway.
There might be ways to reduce or filter it but any design work I do will expect
some.
Well, yes, leaving out irrelevant info avoids misleading them. More
info
is not necessarily better, particularly in a situation like this where
a
recipient doesn't know the order or relationship of multiple signatures
unless it has separate knowledge about the parties involved.
Although you seem to have concluded so already, I don't agree that it's
irrelevant data. Some verifiers might want to see both as a matter of local
policy, and maybe there's an algorithm out there that would work in the
majority of cases which requires access to all of the signatures. Absent a
proof one way or another, I'll opt for making more information available.
This returns us to the original question. Other than the implausible
scenario of a system that is managed well enough to maintain the chain
of
signature headers, but that makes no attempt to keep spam out of its
lists, in what scenario would this be of practical use in managing Z's
mail? If Z trusts Y, why wouldn't it be sending reports about Y's
lists
to Y?
The question I was discussing wasn't about where to send abuse reports, it was
about whether or not to believe what was claimed by the authentication data Y
sent to Z. If Y says it saw a signature from X that validated, should Z
believe that claim or not?
People have been saying since the dawn of DKIM that they want to see
the
incoming signatures on list mail, but I have yet to hear a plausible
story
about what to do with them. As far as I can tell, it's just an
unexamined
assumption that more signatures must be better, or that they as the
original signer will then somehow be able to tell recipients what to
do.
I think you nailed it: It's an unexamined assumption. But so, to me at least,
is the assertion that an author signature to a list is a bad idea for senders
and will only serve to confuse verifiers. I'd like to see some data collected
from such systems before I'm willing to agree or disagree with either
perspective. And until then, I don't want to exclude anything.
A favourite example of mine: A DKIM signature with an "l=" passes the DKIM
module, but the verifier makes use of hooks into the module that allow it to
discover the message quadrupled in size after signing. As a result, it
quarantines the message, as required by local policy. That's more information
than RFC4871 requires the DKIM module to provide, but it served a useful
purpose.
Another: A DKIM signature arrived and validated, but failed to cover the
Subject: header field. The receiver discovers this and disallows the message
(or filters it differently) due to local policy that's concerned with a change
to what would appear in an inbox summary. Again, it's more information than is
required, but it's useful.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html