ietf-mailsig
[Top] [All Lists]

Re: more hand waving about mailing lists

2004-12-06 01:33:56


On Dec 5, 2004, at 10:31 PM, John Levine wrote:

Why?  Because two users who otherwise are signing and validating their
messages can't control an intermediate third party's mailing list which
isn't signing its own outgoing messages.  In such cases, you seem to
prefer that the original poster's signature self destruct -- that is,
be unavailable to the receiver at all.

Putting silly statements into the mouths of people who disagree with
you is rarely a persuasive debating technique.

Sorry that my frustration is showing through - I've asked Dave once on the list, and once in person, to clarify what he means about this point.

I can't speak for Dave, but nothing I've seen so far changes my
conclusion that attempts to make signatures survive mailing lists and
other mutations are fundamentally a bad idea.  They add vast amounts
of complexity for at most an occasional and transitory, and more
likely an illusory benefit.

I don't know all of the ways that list software might mutate a
message, and neither does anyone else.  We still don't have anything
close to a concrete proposal to take an IIM signature and a message
and tell us whether the message is close enough to the signature that
we can conclude that the differences are only due to a trip through a
mailing list.  And I don't think we ever will, either.  Feel free to
prove me wrong, preferably with C code I can run, but I'm not holding
my breath.  It's not helpful to tell me that I can use any closeness
metric I want, since I don't know of any usable ones other than exact
match.

The experiments I've seen with DK have shown that even rather
simple-looking fuzzy matches can let through heavily mutated messages,
while some common mutations like virus scanner tag lines can be really
hard to deal with.  I don't see any reason to think that IIM would be
any different in those regards.

As far as I'm concerned, there are exactly two kinds of message
forwards.  There's the simple dot-forward kind in which the message is
unmodified other than perhaps having a few headers added at the top.
And then there's everything else, mailing lists, MUAs that smash as
they forward, whatever.

Is the behavior of the ietf-mailsig mailing list of the former or latter
variety?  I know it's not a .forward because the envelope-from is
changed, but it doesn't modify the body much at all, nor the headers.

For the first kind, I hope we agree that it's easy to make a signature
scheme work.  For the second kind, it's not, so my advice is don't
even try.

The whole point of message signatures is to know who's responsible for
the message.  For mailing list messages, the responsible party is the
list.

This means a subscriber can't have a more or less restrictive policy
than the list administrator.

Here, again, I'd like the subscriber to _be_able_ to employ additional
heuristics.  Which means I'd like the original signature -- if any --
to persist, in the same way X-Face "persists" through mailing lists.

 You can't tell anything about the quality of a list by checking
internal signatures.

I agree - such signatures would tell me if the posters were authorized.

A list with no internal signatures might be
manually moderated by someone who calls all the submitters on the
phone to check that the messages are real.

Sure.

 A list with 100% internal
signatures could be 100% from dead Nigerian generals.

Which could happen because the list administrator's policies are lax
and don't have as stringent checks as a list subscriber's -- and if
the signature doesn't survive a typical mailing list, there's no way
for the list subscriber to apply more strict policy than the list's
policy.

So, please, if you believe that it's useful to have signatures pass
through lists, show us that it works.  Show us running code that can
handle mutations from common list managers (try Yahoo Groups, mailman,
listserv, sympa, lyris, and majordomo) but can't be trivially spoofed.
Give us some rules to tell us what we're supposed to do with list mail
that has various combinations of good and bad nested signatures.  At
this point, all I see is smoke.

-d


Regards,
John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
http://www.taugh.com







<Prev in Thread] Current Thread [Next in Thread>