ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] MLMs and the use of multipart/alternative to preserve original DKIM signature and at the same time add a new DKIM signature

2010-08-03 05:06:12
On 08/03/2010 02:36 AM, John Levine wrote:
The proposal is to preserve the original message + DKIM signature and to
add the new (probably partially rewritten) output message, combined into
a multipart/alternative structure. The combined message is sent by the
MLM to the recipient.
     
Once again, I can only see this as screwing up the 99+% of users for
whom the lists work just fine for the<1% who consider themselves so
important that they need to mark their list mail with ADSP.
   

I did not have ADSP in mind when writing this proposal. Let me be clear 
about ADSP: IMO domains that publish adsp=discardable and yet send mail 
with that domain via mailing lists, get what they deserve: problems.

Imagine you're a list manager.  Your list has 1000 subscribers.  Two
of them demand that you do something to prevent address forgery due to
forged unsigned messages, a problem that you have never observed to
happen on your lists.  What do you do?  I know what I'd do.
   

In a nutshell the problem of the combination DKIM + MLM can be 
summarized (and simplified) as follows.

On the plus side:

1. the mail that is received by a subscriber to a mailing list carries 
(most of the time) the original From.
2. the original DKIM signature can still be present in the message (if 
we recommend the MLM authors to not remove DKIM-Signatures)

However...

3. the MLM rewrites the Subject (in many cases)
4. the MLM adds a footer (many cases)
5. see par. 3.3 of Murrays draft for more things MLMs do to messages

That means, we have a signature + From, but we no longer have a reliable 
copy of the message to verify them.

6. we can tell the MLM authors to change their code to no longer do 3., 
4. and 5. but, as Murray describes in par. 3.4:

<quote>
However, the practice of applying headers and footers to message
bodies is common and not expected to fade regardless of what
documents this or any standards body might produce.
</quote>

With this situation in mind, I wrote my proposal, to provide the 
verifier on the receiving side with a means to verify the original DKIM 
signature.

/rolf
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>