Dave,
On 08/04/2010 11:10 PM, Dave CROCKER wrote:
On 8/4/2010 2:01 PM, John Levine wrote:
There's a scenario where a spammer/phisher sets up a mailing list,
...
I don't see how this poses any new problems.
More to the point is that this attack does not appear to be relevant to the
question I asked.
Phrased differently, the question I am asking is:
A mailing list digest does not preserve DKIM signatures from (any of) the
original messages, and this appears to be acceptable to the community.
Are you sure it is acceptable to everyone, or does the community take it
as it is? I agree with you that there should be no difference regarding
the treatment of the original DKIM signature, whether the message
arrives in digest form or not. I'm still not convinced that the original
DKIM signature is not relevant for the verifier of the message at the
receiver side.
The tension that there is between the MLM being a User Actor and being a
Mediator is illustrated with the following text you wrote in RFC5598:
RFC5322 <http://tools.ietf.org/html/rfc5322>.Reply-To: Set by -
Mediator or original Author
Although problematic, it is common for a Mailing List to assign
its own addresses to the Reply-To: header field of messages
that it posts. This assignment is intended to ensure that
replies go to all list members, rather than to only the
original Author. As a User Actor, a Mailing List is the Author
of the new message and can legitimately set the Reply-To:
value. As a Mediator attempting to represent the message on
behalf of its original Author, creating or modifying a
Reply-To: field can be viewed as violating that Author's
intent.
If we look at the MLM as being a User Actor, then I agree that we should
not care about the original DKIM signature. If however we consider the
MLM as a Mediator, we should probably care about the original DKIM
signature.
Is there consensus that in the context of an MLM the original DKIM
signature can be dropped and we should not care about it?
/rolf
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html