Dave CROCKER wrote:
Folks,
As long as there is some effort to review what goals are being pursued,
with respect to mailing lists, I'd like to raise an additional question:
For typical, modern mailing lists, a subscriber can choose between
delivery of each message, as posted individually, versus delivery of
batches of messages in a digest.
In the latter case, no one would reasonably expect a DKIM signature
from a first (author/originator) sequence to survive. Yet there seems
to be some strong expectation that it will or should survive if the
recipient happens to choose delivery on a per-message basis.
What is the security model that makes this expectation of
preservation important and reasonable, given that it is so easily
and whimsically violated by a common recipient-selectable setting?
Good point Dave.
DIGEST MESSAGE
The digest message itself should not present any security issues for
DKIM signing considerations by the list. The digest 5322.From is set
to the list address and the digest body is a unique content creation
owned and authored by the list itself. Signing the digest should
result as a valid 1st party for all digest recipients.
INDIVIDUAL MESSAGE
How each message is added to the digest content is implementation based.
In our case, a individual DKIM signed message will not be shown as a
signed message because the digest format includes a summary index
table at the top followed by the text only display of each one showing
only the necessary primary headers to distinguish the specific message:
Summary index Table
--- Digest Message #1 -----
Date:
From:
Subject:
text/plain body only, no attachments
--- Digest Message #2 -----
Date:
From:
Subject:
text/plain body only, no attachments
....
So what will it take for individual signed messages to survive a digest?
Since each message submitted to the list is stored in its original
integrity, the only way I see is to add the validated (with AR header)
signed message to the digest as a message attachment, probably as a
content type of message/rfc822.
Most MUAs (like ThunderBird) will display the message/rfc822
attachment icon and when clicked, a new Message Window is shown.
This message will be viewed as a signed message by the original author
and not the distributing list domain.
So I think the individual DKIM message can survive with it original
signature when added to the digest as a message/rs822 attachment.
When viewed by the user, it would appear as if the author send a
direct private message to the user.
Security issues?
I don't see any for the DIGEST signature itself. It would be a more
trusted 1st party signature by the list domain.
For the individual message views, if saved as an attachments, the list
should at least validate it and add the AR to it before adding it to
the digest as a message attachment. The AR will most likely already
be in the list message submission added by the edge point WCSMTP
receiver when it does its DKIM (and ADSP) validation. So the list
would not have to worry about doing another DKIM (and ADSP) validation.
--
HLS
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html