On 4/29/10 6:06 PM, John Levine wrote:
I just don't see how you can simultaneously say "throw away unsigned
mail" and "don't throw away unsigned mail if a list says it used to
be signed" unless you have some way to identify trustworthy lists.
Agreed. People might trust authentications of a From domain based upon
valid Author Signatures, but they should not trust From domains based
upon A-R header indications of previous Author Signatures without
knowing how the A-R headers were processed. Any assumption of proper
processing would permit simple exploits and invite abuse. Those most
interested in determining proper A-R header processing by third-parties
would be those with an interest in protecting their recipients, such as
financial institutions.
But once you know that a list is trustworthy, why wouldn't you just
accept all its mail? I just don't see a plausible scenario where you
you know you trust the list but still want to accept or reject mail
based on assertions the list itself makes.
Not all mailing-lists will remove A-R headers. One misleading A-R header
from a normally acceptable mailing-list promoting inappropreate trust
could be replayed in a spam campaign. Such messages would be difficult
to reject and might lead to inappropriate annotations. Who should be
expected to retain audits of A-R header handling?
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html