Dave Crocker writes:
On Wed, 27 Oct 2004 23:46:33 +0100, David Woodhouse wrote:
That would be a scheme which is based on the RFC2821 address, and
hence doesn't _need_ to survive mailing list mangling. I suspect
that there is indeed a place in the world for such a scheme.
1. Mailing lists are merely one of a number of cases in which a
message that has been delivered to its specified recipient -- in this
case the mail list address -- is re-posted for delivery to others. The
original recipient can -- and does -- make an infinite array of
modifications to the original message, so there is no way a signature
can be robust against them all.
2. Once we start trying to be robust against only some, we are playing
a losing game. Even trying to guess all the things mailing lists do
is a losing game.
Taken literally, this means that the game is already lost as
there are trivial existence proofs of things in mail transit
which modify messages. So unless you would recommend that,
for example, the nofws canonicalization plays directly into
this losing game and we shouldn't do that, there is clearly
a middle ground that is worthwhile to consider. If you are
taking that absolutist position, I'm not sure there's much
point in further engagement as the real world has already
spoken and this entire effort would already be doomed. So
please clarify.
3. The reality is that the mailing list has the latest responsbility
for injecting the message into the transfer service. The fact that it
takes a previous message that was create by someone else and, yes,
even the fact that they retain the From and Subject and other tidbits
does not make the list processor less responsible for the
content.
Define "responsible". It's not "responsible" for the
original content. And what does any assumed responsibility
mean for a receiver? The fact is, mailing lists *add* to the
list of responsible parties; it does not *supersede* them.
There's an end to end argument that is being lost here: if I
author a piece of mail, I *want* others to be able to
determine that my home domain authorized that piece of mail
purporting to come from me. What I think people are missing
is that well behaved mailing lists ought *first* consider
not breaking MASS signatures from the home domain. Only
after that should we consider whether badly behaving
manglers should have an opportunity to fess up to their bad
behavior.
Getting signing to be done is a case of incremental adoption
throughout the Internet. We should keep the model as simple as we
can. I believe that means that signing should be done by the entity
that last injected into into the transfer service. MTA's are mere
relays, so they do not count. User agents count.
Something simple which doesn't meet the requirements is
useless. Simplicity is not a primary value. Can we stop
throwing it around as if it were? We should asking what
problem we trying to solve before we lay assessment about
"simple" and "complex".
My first requirement here: we should make reasonable effort
to accommodate the existing mail infrastructure as we are
keenly aware that implicit flag days mean undeployable
protocols.
Mike