Hi Murray,
Thanks for taking a shot at this. Here are some comments on the Lists
draft.
First, I support the draft becoming a working group document.
However, I wonder if it requires simplification with a bit more
discussion as to motivation. I'll get into some of that below.
Introduction 3rd and 4th bullets should use consistent terminology, so I
suggest:
s/mailing list/MLM/
Section 1.2
MLM behaviors are well-established and standards compliant.
I don't understand what you mean by standards compliant.
Same section lower down:
However, the fact that the From
field of such a message is typically the same as for the original
message and that recipients perceive the message as "from" the
original author rather than the MLM creates confusion about
responsibility and autonomy for the re-posted message.
Isn't there standard terminology to distinguish between the From and
from (e.g., SMTP-From)?
Section 1.3
FBL? What a horrible misuse of an already common term. Is there a cite
for this or can we change it?
Section 3.1
I *love* the title of this section!!!
However- I believe we need to be careful to cite the source of these
definitions, so as to avoid conflict should they change.
Section 3.2
The remainder of this document operates on the presumption that a
message going through a re-posting MLM actually comprises two message
transactions
s/re-posting/resending/
?
I think, by the way, that 3.2 should probably be expanded with regard to
the logic behind steps 1 and 2. Seems to me that's the thing that will
help mailing list maintainers understand why the solution is correct.
Section 4.1.
I'm uncomfortable with this section. I don't know how an author is
supposed to know whether an MLM is a participant or non-participant.
Moreover, discrimination at the enterprise level seems like a great
opportunity for us vendors to sell more hardware without much customer
benefit.
I would rather see this section simply say that messages originating
from ADMDs that have strict ADSP polices are advised to not make use of
either non-participating MLMs that corrupt signatures.
Section 5.1
Authors may be well-advised to create a DNS domain specifically used
for generating signatures when sending traffic to MLMs
I think you have to be really clear on this point, because it can be
read in one of several ways:
* Author domain should be used expressly to transmit to MLMs, in
which case you should make it clear when this should be the case
(e.g., you couldn't imagine an entire enterprise redoing their
email infrastructure to such an end)
* The SIGNING domain and NOT the author domain should be used
expressly to transmit to MLMs, in which case we have a problem I
mentioned above;
* Something else
Section 5.2:
In the case of verification of signatures on subscriptions, MLMs are
advised to add an [AUTH-RESULTS] header field to indicate the
signature(s) observed on the submission as it arrived at the MLM and
what the outcome of the evaluation was.
What if any level of operational trust should be placed in such a header?
Section 5.4
A DKIM-aware resending MLM is encouraged to sign the entire message
as it arrived, especially including the original signatures.
Would I as an MLM want to resign a message that I received that itself
was not signed? Do I want to confer more authority to that message than
is warranted?
Eliot
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html