ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Clarifying DKIM (etc.) expectations for mailing lists in the face of digests

2010-08-04 14:16:19

Dave CROCKER wrote:
Folks,

As long as there is some effort to review what goals are being pursued, 
with respect to mailing lists, I'd like to raise an additional question:

For typical, modern mailing lists, a subscriber can choose between 
delivery of each message, as posted individually, versus delivery of 
batches of messages in a digest.

In the latter case, no one would reasonably expect a DKIM signature 
from a first (author/originator) sequence to survive.  Yet there seems 
to be some strong expectation that it will or should survive if the 
recipient happens to choose delivery on a per-message basis.

What is the security model that makes this expectation of 
preservation important and reasonable, given that it is so easily 
and whimsically violated by a common recipient-selectable setting?

Good point Dave.

DIGEST MESSAGE

The digest message itself should not present any security issues for 
DKIM signing considerations by the list.  The digest 5322.From is set 
to the list address and the digest body is a unique content creation 
owned and authored by the list itself. Signing the digest should 
result as a valid 1st party for all digest recipients.

INDIVIDUAL MESSAGE

How each message is added to the digest content is implementation based.

In our case, a individual DKIM signed message will not be shown as a 
signed message because the digest format includes  a summary index 
table at the top followed by the text only display of each one showing 
only the necessary primary headers to distinguish the specific message:

     Summary index Table

     --- Digest Message #1 -----
     Date:
     From:
     Subject:

     text/plain body only, no attachments

     --- Digest Message #2 -----
     Date:
     From:
     Subject:

     text/plain body only, no attachments

     ....

So what will it take for individual signed messages to survive a digest?

Since each message submitted to the list is stored in its original 
integrity, the only way I see is to add the validated (with AR header) 
signed message to the digest as a message attachment, probably as a 
content type of message/rfc822.

Most MUAs (like ThunderBird) will display the message/rfc822 
attachment icon and when clicked, a new Message Window is shown. 
This message will be viewed as a signed message by the original author 
and not the distributing list domain.

So I think the individual DKIM message can survive with it original 
signature when added to the digest as a message/rs822 attachment. 
When viewed by the user, it would appear as if the author send a 
direct private message to the user.

Security issues?

I don't see any for the DIGEST signature itself. It would be a more 
trusted 1st party signature by the list domain.

For the individual message views, if saved as an attachments, the list 
should at least validate it and add the AR to it before adding it to 
the digest as a message attachment.  The AR will most likely already 
be in the list message submission added by the edge point WCSMTP 
receiver when it does its DKIM (and ADSP) validation.  So the list 
would not have to worry about doing another DKIM (and ADSP) validation.

-- 
HLS



_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>