Re: [ietf-dkim] draft-ietf-dkim-mailinglists-02 review

> But if that stuff was signed before entering our whatevers, how can we 
> verify the signature when pulling it out?  This question may entirely 
> invalidate assumptions that nobody ever actually made about somebody 
> else's theoretical wiping policy!
Not to stretch this metaphor too far, but I believe that the assertion 
that people care whether mail inbound to MLMs was signed remains utterly 
unsupported.
Give the IETF's traditions, the usual way to show that you care about 
something is to write the code to do it.  For the lists I run, I've 
modified MJ2 to put a signature on outgoing mail with the list's domain 
and a private field to say which list it was.  I can't say I've seen any 
improvement in delivery which was already close to 100%, but it certainly 
hasn't hurt anything and it's made it easier to process Yahoo FBLs. 
That's one of the reasons I'd want a list BCP to tell lists to sign their 
mail; I've tried it, albeit at small scale, and it works.  We know from 
reports that at least one MTA misimplements ADSP to reject on discardable 
failures, which suggests that a robust MLM should be prepared to deal with 
that, most simply by pre-discarding anything that might cause that 
problem.  I haven't implemented that because, so far at least, none of my 
susbcribers appear to use ADSP so it's pretty low on my list of things to 
worry about.
Based on recent correspondence, it appears that one of the most vehement 
advocates of modifying MLMs to work around ADSP and to pass through info 
to retroactively check contributor signatures hadn't noticed that I put 
S/MIME signatures on my list mail and that even though it adds a footer to 
each message, Mailman passes the signatures through so his MUA can verify 
them.  Care?  Get real.
R's,
John

smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html