On May 26, 2011, at 2:53 PM, Murray S. Kucherawy wrote:
-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Steve Atkins
Sent: Thursday, May 26, 2011 2:10 PM
To: DKIM List
Subject: Re: [ietf-dkim] MLMs and signatures again
In that case the reputation of the MLM is poor, and I don't want to
receive email from it. I still don't care about who the participants
are.
The idea that people might sign up for a mailing list full of junk,
and hope that their spam filters / reputation engine will magically
pull the occasional gem out of it seems pretty unlikely. And that's
the premise behind there being value in tracking the reputation
of original authors in the case of their email being re-sent by a
MLM.
Let's say I route all traffic from list X to its own separate mailbox, but I
also want my MUA to flag for special attention mail sent to that list by
people I hold in high regard, for example, and I want that to be based on
their accumulated reputations.
That's relying on an awful lot of vaporware in the MUA, orthogonal to any sort
of authentication. I don't think any MUAs really track sender reputation in any
way[1].
I either have to base that on something forgeable like From:, or on something
reliable like "d=". That doesn't seem magical to me.
Well, d= won't identify the original sender at all, in the case of individuals
sending to a mailing list. It'll identify the domain of their ISP, nothing more.
It's a bit of a contrived example, but right now I would have to maintain
that list manually; it would be nice to have it done automatically based on
feedback I provide to a reputation system.
Tunneling DKIM signatures through MLMs doesn't seem to be the missing bit of
technology needed to do this.
If the MLM signs any email it sends then you have some level of trust in any
information it annotates the mail with.
*If* it were possible to identify the original email author in some way
(S/MIME, PGP, some private shared secret approach....) the MLM could annotate
the mail with that information, and you could trust it enough to filter on. If
the MLM doesn't have enough information to identify the original email author,
it's unlikely you do either - whether there's a second DKIM signature or not.
Cheers,
Steve
[1] It's something that'd be useful, though - it's been on my TODO list for
about two years to add exactly this to our CRM system, via end-user thumbs-up /
thumbs-down buttons.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html