-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org [mailto:ietf-dkim-
bounces(_at_)mipassoc(_dot_)org] On Behalf Of Ian Eiloart
Sent: Thursday, September 16, 2010 6:20 AM
To: Hector Santos; ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] draft-vesely-dkim-joint-sigs
<SNIP>
I don't think so. The original signature should only sign the DKIM-
required
and From headers, and perhaps enough other headers to reduce utility
of
replay attacks. Importantly, they should only sign parts that are
likely
to
be unbroken by the MLM, thus satisfying ADSP requirements. However,
the
recipient knows that a valid signature from the MLM is required, too.
Thus,
the original DKIM signature is only valid for messages going through
the
list - off list replay isn't possible. On-list replay can be limited
by
ALSO including a full DKIM signature, for the list to check before
redistributing.
Ian, this makes no sense to me. If a signing domain is concerned enough
to choose to implement ADSP, why would they reduce what they are signing
to accommodate a small percentage of their mail going to MLMs that they
may or may not be able to identify? I don't remove the locks on my doors
because there is a possibility that someone might break one of my
windows.
I've said it before and I'll say it again. MLMs are the tail, not the
dog. Don't wag the dog.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html