> I don't know all of the ways that list software might mutate a
> message, and neither does anyone else. We still don't have anything
> close to a concrete proposal to take an IIM signature and a message
> and tell us whether the message is close enough to the signature that
> we can conclude that the differences are only due to a trip through a
> mailing list. And I don't think we ever will, either. Feel free to
> prove me wrong, preferably with C code I can run, but I'm not holding
> my breath.
Sourceforge is your friend.
I see an implementation of IIM that makes no attempt to deal with list
mutations. I suppose your point here is that you agree that no such
software exists.
Huh? Both DK and IIM have a nofws canonicialization.
IIM allows a body count too. That's the *only* difference
in this regard. So I really don't know what you're talking about.
IIM saves copies of some of the headers, remember? When you validate the
signature, how different are the actual headers allowed to be? How much
extra goop at the end is permissible? List tags in the subject line,
message headers and footers, stuff like that. If you don't understand
what the issue is yet, I doubt I can explain it.
> As far as I'm concerned, there are exactly two kinds of message
> forwards. There's the simple dot-forward kind ...
> And then there's everything else.
MTA's modify messages too. Sendmail, for example. Try
feeding it a line of 2049 'a's and see what happens.
And sendmail is hardly in outlier in this regard.
This might be a good time to review section 4.5.3.1 of RFC 2821. Nobody
ever said the MTAs promise binary transparency. Even sendmail does a
reasonable job of not mangling RFC-compliant mail, and it's not very hard
to comply.
> The whole point of message signatures is to know who's responsible for
> the message. For mailing list messages, the responsible party is the
> list.
I disagree. When I view a message from John Levine
on ietf-mailsig(_at_)imc(_dot_)org, I think the responsible
party is John Levine, not 1000 monkeys diverted
from their day job of pounding out Shakespeare.
Putting silly statements into the mouths of people who disagree with
you is rarely a persuasive debating technique.
The ietf-mailsig(_at_)imc(_dot_)org has a good reputation because it doesn't
send a
lot of junk, forged or otherwise.
Assuming you're set up to sort your incoming mail, do you sort mail from
the mailsig list so the list mail all goes to the same place, or do you
sort it by the person who sent the mail to the list so list mail from me
goes one place and list mail from someone else goes to another place?
Everyone I know does it the first way, which tells me that it's the list's
reputation that primarily matters.
> You can't tell anything about the quality of a list by checking
> internal signatures. A list with no internal signatures might be
> manually moderated by someone who calls all the submitters on the
> phone to check that the messages are real. A list with 100% internal
> signatures could be 100% from dead Nigerian generals.
This is true of *any* intermediate in the path. Really.
Well, duh. It wouldn't be a bad idea to recommend that transparent
forwarders sign, too, but in practice, transparent forwarders are almost
all put in place by the recipient of the forward with less control over
incoming mail than lists exert. E.g., I have courtesy accounts at
ieee.org and yale,edu that forward everything that comes to them (both
with rather lame spam filtering, as it happens.) The semantics are
different; mailing lists have a topic, courtesy forwards don't.
> So, please, if you believe that it's useful to have signatures pass
> through lists, show us that it works. ...
Sourceforge is your friend.
Well, OK, then we still agree, there's no code to tell whether an IIM
signed message with modifications has been modified benignly list software
or not so benignly by something else.
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.