On Thu, 2005-01-13 at 13:44 -0700, Robert Barclay wrote:
From: owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org [mailto:owner-ietf-
mailsig(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of John Levine
If it were my ISP, I'd just cancel the account. I'd only cancel a key
if I found that it had leaked and unknown parties were using it to
sign mail. The signature means that the original sender and recipient
addresses are real, if someone wants to further pursue the miscreant.
The most that a signature can do is to identify the responsible party.
There's no point in adding cruft that attempts to go beyond that.
Given this why would any domain want their signatures to survive
transformations by mailing list message that their users send to, with
which they have no relationship and over which they have no control.
There will be some changes that happen, in addition to what happens at
list servers. As a general rule, if there is any restoration of the
message, it should be restored to the original message as a means to
avoid abusive links and messages from being added. This rule would
encourage list servers that add information to sign their messages.
I know for most of the companies I work with they are extremely
conservative (for good legal reason) in what they are willing to
accept responsibility for.
I think that is a separate issue.
It seems to me that the possibility that a domain may be accepting
responsibility for a message that has undergone an arbitrary list of changes
after it has left their control is likely to impede adoption of a mailsig
mechanism by exactly the group of people whose adoption would be most
valuable (namely high value spoofing targets).
Which would be a good reason for adopting a general rule that any
restoration of a message provides _only_ the restored message.
I know that when I go to speak to financial service companies I work with
that, to convince them to adopt any of these mechanisms it must meet the
following need
1) It allows them to show the validity of the use of their domain by anyone
they allow to send on their behalf (and any large company will have a number
of people with whom they have contractual relationships validly sending on
their behalf)
Agreed.
2) Accept responsibility (and the concomitant reputation affects) only for
the messages sent by those parties.
Expanding on the meaning of "sent."
There are two levels of protection required. One is at the network
level to protect servers from rampant abuse. The other is at the user
level. Should there be a means to rapidly disable authorizations
provided by a signature mechanism in the event of detected abuse, then
knowing which server "sent" the message is less of a concern. The
network level protections will be assessing the "sending" servers.
Should both of these protection mechanisms provide the authenticated
name of an administering domain, then a common reputation system can
safely support both the network and the user protection mechanisms.
If there are cases where a message may be altered by someone other
than those people over whom they can exercise control (either their
employees or people with whom they have a direct relationship) then to
get them to adopt mailsig the list of those transformations will need
to be pretty limited and it will be necessary to be able to enumerate
them to the non-technical managers of those companies in a way that
makes it clear that adopting mailsig does not create new risks for
them. [The] argument that this [may] create some risks for their
reputation in some areas, but reduces their risk in others may carry
some weight but in my experience is a pretty hard sell.
I think this would argue for adopting a general rule that any
restoration of a message provides only the restored message.
This is one of the underlying reasons that I still believe that mailing
lists are themselves an end point for mailsig (and most other purposes).
A generalized rule that, as a result, removes any modification added by
a mail list would work toward getting mailing list that mung messages to
adopt their own signing practices.
Suppose this list started adding a signature that I found offensive. If I
complained about the message John sent due to that signature would it be
reasonable to assign responsibility for that to iecc.com?
As a hypothetical, if the list did not provide their own signature, but
the mail was accepted because the signature was found valid after a
restoration process (this would not be practical in many cases) then
just the content of the restored message should be retained.
If the message could not be restored and the signature was not
validated, then the conditions for acceptance would be on that basis.
If list managers found it essential the information added to a message
be seen by recipients, then they would need to sign enhanced messages.
List servers may allow signatures to be a condition for acceptance of
mail. They have two ways to do this. One, by not touching the content
of the message. Two, by resigning the message. Where the content is
not touched, then John's domain would be able to demonstrate
accountability. Where a signature was added so modifications could be
seen by the end user, then the list server, or in this case, imc.org,
would have demonstrated accountability.
-Doug