--On 30 April 2010 08:02:44 -0400 "John R. Levine" <johnl(_at_)iecc(_dot_)com>
wrote:
I just don't see a plausible scenario where you you know you trust the
list but still want to accept or reject mail based on assertions the
list itself makes.
How about you trust the list, and it says the inbound message wasn't
signed? The list has left the value judgement to the recipient.
I've been using mailing lists for 35 years, and I cannot recall any where
the list manager threw up his hands and didn't manage the list's
contents.
I don't think that's what I'm saying. Currently lists don't do much to
authenticate senders. I don't think it's implausible that a recipient might
have stricter rules than a list manager. It might be unusual, I suppose.
The conceptual model of mailing lists has been consistent for
decades: the list picks mail to pass along using whatever manual or
automated process it uses, and subscribers accept the mail the list
sends. I don't see the point in trying to retroactively redefine the
ways that lists work to try to shoehorn them into the limits of poorly
desiged security add-on.
See "forgery" for another example of the same newthink, in which the SPF
crowd tried to persuade the world that SPF's failure to handle long
established forwarding models was the fordwarders' fault.
R's,
John
--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html