On Sep 10, 2010, at 10:14 AM, Todd Lyons wrote: > On Fri, Sep 10, 2010 at 6:50 AM, McDowell, Brett > <[email protected]> wrote: >>>> Ugh! We simply have to fix the root cause of MLM's breaking DKIM >>>> signatures. >>> Disagree. This would then mean MLM messages become visually similar to >>> messages from individuals. >> I didn't mean to suggest MLM's should stop doing the things they do that >> breaks DKIM signatures. I'm actually a fan of the A-R header (or perhaps a >> new one) approach -- used in a clear (profiled?) way -- so MLM's can assert >> to receivers that they verified the senders signature before processing and >> re-signing it. > > As an end receiver though, I certainly wouldn't trust an A-R header > that someone else put in during transit saying that it verified from > $BIG_COMPANY. That can too easily be forged. Now if that A-R header > was part of your DKIM sig or the header had a brief sig field that > could be tied back to your DKIM sig, it would become eligible to be > regarded as trustworthy (but not necessarily guaranteed to be so).
That's what I meant by "the A-R header (or perhaps a new one) approach". To be more clear: (1) sender sends DKIM-signed mail to typical mail list (2) typical mail list verifies DKIM signature of sender (3) typical mail list processes the message (adds it's footer, updates subject line, etc.) and updates the A-R header info stating it verified signature of sender (5) typical mail list then DKIM-signs the entire message and delivers it to all subscribers (6) receiver verifies the mail list's DKIM signature, reads the claim in the A-R header, makes a trust decision, and then processes the message as it would if it had come directly form the sender (i.e., if it was ADSP=discardable it would actually deliver the message because of the "chain of trust" from the sender to the MLM to the receiver) note: it's more complicated than this as more intermediaries may exist between sender and MLM or MLM and receiver, but the concept remains in tact and between DKIM and A-R the technology standards exist to implement this kind of ecosystem (we may need a profile of A-R or a new header, something we should debate sooner than later). -- Brett _______________________________________________ dkim-ops mailing list [email protected] http://mipassoc.org/mailman/listinfo/dkim-ops
