On Sun, 19 Sep 2004, David Woodhouse wrote:
On Sat, 2004-09-18 at 23:58 -0500, Seth Goodman wrote:
Lists do it now by the submitting address (broken ones use the
return-path), so they can switch to validating signatures instead.
I disagree. That reduces it to a hop-by-hop scheme again. In order to
determine the probability that this message really did come from me,
you'd have to ponder how much you trust the list server to have actually
checked.
When handling mail list mail, I would *much* rather be checking for
whitelisting/reputation information about the address of the *list* than
the address of individuals posting to it. Specifically, I don't want to
take the risk of having different posts to the same thread being treated
differently based on who they are from (almost as risky as today's
content-filtering approaches).
Its not that Seth's suggestion "reduces" the crypto solution to a
hop-by-hop scheme, but that the mailing list really *should* be taking
responsibility for the message.
Now a very interesting engineering problem is to allow multiple
signatures, so that you can verify the original content of the posters
message if you care to, and then verify the full text of the mail-list
modified message came from the mail list server. For day-to-day usage
though, only the latter is really all that interesting IMO.
-Rand