Re: (DMARC) We've been here before, was Why mailing lists
2014-04-17 13:18:35
John R Levine wrote:
The originator (well, more to the point, the originator's mail server)
doesn't need a signal that it's a mailing list; it's simply that the
destination makes an "if I forward the mail, I'll be including this" piece
of
data available, and the originator's server can then include that in the
signature of the message. I was thinking this could be in some special kind
of DMARC (or whatever) record that lived in the mailing list's domain and
could be queried by the originator's server.
We argued at great length about this issue when we were doing DKIM. The
magic token has to be cryptographically tied to the contents of the
original message, or bad guys can take the token from a real message and
replace the body with spam. So that means a token tied to a hash of the
contents of the message which is, of course, a DKIM signature. This
scheme is equivalent to requiring that lists preserve DKIM signatures,
which they don't.
Every attempt to create a signing scheme that is flexible enough to deal
with all the routine stuff that lists do (e.g., reorder, discard, or
flatten MIME parts while adding the usual subject tags and body footers)
while being robust enough to prevent bad guys from replacing the message
with spam has completely failed. We can try again, but I don't see any
reason to think that the result would be any different.
I fail to understand where the problem comes from. The idea/architecture
of the rfc822 "sent on behalf of" (Sender:) seems clear. If anything
should be authenticated at all, then it is what _the_sender_ decides
to send.
The sender might be asserting the authorship of the message (plus or
minus a few bits) to someone else by including the authors name in
a From: field that differs from the Sender: field.
A technology that is obsessed about the contents of the From:-Field
of an rfc822/2822/5322 Email message that ignores the semantics of
the Sender: field appears broken to me. A sender that received
the original EMail with a signature might indicate so (and authenticate
this indication), but unless the original message is included verbatim
an opaque blob, the original signature may no longer work -- such as
when a mailing list software cleans/streamlines submissions, so the
original signature should be stripped.
MUAs which are not implementing the rfc822/2822/5322 "on behalf of"
semantics of a message that carries both From: and Sender: header
fields ought to be FIXED. Standards that build on rfc822/2822/5322
and do not respect "on behalf of" semantics of messages with
both "Sender:" and "From:" also need to be FIXED.
-Martin
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: (DMARC) We've been here before, was Why mailing lists, (continued)
- Re: (DMARC) We've been here before, was Why mailing lists, John R Levine
- Re: (DMARC) We've been here before, was Why mailing lists, Pete Resnick
- Re: (DMARC) We've been here before, was Why mailing lists, John R Levine
- Re: (DMARC) We've been here before, was Why mailing lists, Pete Resnick
- Re: (DMARC) We've been here before, was Why mailing lists, ned+ietf
- Re: (DMARC) We've been here before, was Why mailing lists, Miles Fidelman
- Re: (DMARC) We've been here before, was Why mailing lists, ned+ietf
- Re: (DMARC) We've been here before, was Why mailing lists, John Levine
- Re: (DMARC) We've been here before, was Why mailing lists, Murray S. Kucherawy
- Re: (DMARC) We've been here before, was Why mailing lists, John Levine
- Re: (DMARC) We've been here before, was Why mailing lists,
Martin Rex <=
- Re: (DMARC) We've been here before, was Why mailing lists, Douglas Otis
- Re: (DMARC) We've been here before, was Why mailing lists, Martin Rex
- Re: (DMARC) We've been here before, was Why mailing lists, John Levine
- Re: (DMARC) We've been here before, was Why mailing lists, Martin Rex
- Re: (DMARC) We've been here before, was Why mailing lists, John Levine
- Re: (DMARC) We've been here before, was Why mailing lists, Michael Richardson
- Re: (DMARC) We've been here before, was Why mailing lists, Murray S. Kucherawy
- Re: (DMARC) We've been here before, was Why mailing lists, John R Levine
- Re: (DMARC) We've been here before, was Why mailing lists, Theodore Ts'o
- Re: (DMARC) We've been here before, was Why mailing lists, Murray S. Kucherawy
|
|
|