On 24/Apr/10 01:26, Murray S. Kucherawy wrote:
The question I was discussing wasn't about where to send abuse reports, it
was about whether or not to believe what was claimed by the authentication
data Y sent to Z. If Y says it saw a signature from X that validated, should
Z believe that claim or not?
Z should not. Consider: Y verifies X's signature, writes an A-R line,
and signs it. Later on, Z verifies Y's signature. However, Z's A-R
will not repeat all of Y's resinfos: Although Z has verified that Y's
A-R is pristine, it doesn't take the responsibility of reasserting
those claims, even at the cost of significantly increasing the
complexity of consuming Y's A-R downstream.
Likewise, unless a Z's user has specifically mentioned "Y" in her
trust settings --which is unlikely-- any software acting on her behalf
cannot automatically derive the confidence to assert that the message
has a valid author signature.
People have been saying since the dawn of DKIM that they want to see the
incoming signatures on list mail, but I have yet to hear a plausible story
about what to do with them.
I think you nailed it: It's an unexamined assumption. But so, to me at
least, is the assertion that an author signature to a list is a bad idea for
senders and will only serve to confuse verifiers.
Author signatures are special because the content of the "From" field
is displayed to recipients. Even if many lists claim copy rights et
cetera, the moral responsibility of a message rests with its author. I
think that's why rfc4871 gives the "From" field foremost importance.
The /visibility/ of a mailing list consists of tagging the "Subject",
and possibly being delivered to a specific folder. Perhaps, list
signatures should be liken to author signatures in this respect. (Is
the relationship between "List-ID" and the tag standardized?)
A DKIM signature with an "l=" passes the DKIM module, but [...]
Some servers rewrite MIME boundaries or prologue. I'm planning to set
"l=0" for all but text/plain messages.
A DKIM signature arrived and validated, but failed to cover the Subject:
header field.
I don't sign the subject, so as to let mailing lists tag it as required.
In facts, in-transit tampering is not something I've seen very often.
Comparing their frequency with that of abused domain names in the
"From" field, they are negligible.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html