ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] draft-ietf-dkim-mailinglists annex MUA considerations

2010-08-17 13:19:03
On Monday 16 August 2010 20:25:16 Charles Lindsey wrote:
On Sun, 15 Aug 2010 04:50:13 +0100, Daniel Black

<daniel(_dot_)subs(_at_)internode(_dot_)on(_dot_)net> wrote:
If users are to place value in From headers as MUAs display and ADSP
tries to
enforce then manguling From headers is adds complexity to the
interpretion of
the header field by to the end user.

If the original was
    From: Joe Doe <joe(_at_)discardable(_dot_)example>
and a recipient sees it as
    From: Joe Doe <joe%discardable(_dot_)example(_at_)mlm(_dot_)example>
then he will still have a pretty clear idea that it originated from Joe
Doe, and may even be able to correctly guess Joe's original email address
even if he is unfamiliar with the percent-hack.

I'm trying to get the same goal by recommending adding some non-artisicly 
specified form of a "list: mlm.example" display so its more evident to the 
user without percentage hacks. Current users are left out but a clearer 
interpration in the future is the tradeoff in values I'm making.

ANNEX A - MUA Considerations

A MUA could implement the following features to reduce the need for
signature
modifications:
* Display of the List-ID header field is used to be displayed beside
where a
subject header field is displayed.
* functionality to create a filter based on based on the List-ID header
field.

I agree it would be a Good Thing if MUAs routinely displayed some of the
List-* headers as a default feature.

But you seem to be suggesting that an MUA should be setup to accept
mesages with a List-Id plus a valid signature from the MLM, even from a
discardable origin.

good point. Should verifiers and MUAs do this check? I was hoping MUAs would 
only need to parse Authenticated-Results rather than full DKIM/ADSP so a MUA 
doing ADSP lookups would enter into an offline/online MUA discussions as 
Hector mentioned and talks about the validity period of a DNS records.

Ignoring the fact that such emails may be already discarded by some
boundary agent, that is still an open invitation to every Phisher to add a
List-ID from some bogus list to every message he sends, and to add a valid
signature from that bogus list (and perhaps even a deliberately invalid
signature from the phished domain).

Somehow, MUAs need to be aware of which lists the user is subscribed to if
they are going to do that sort of thing.

Good idea. I'll try to word that in for the next rewrite. Alternately a MUA 
maintains good/bad/indifferent third party signature lists and varies the 
display for this.

Thanks for the review Charles.

Daniel
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html