On 4/8/15 4:35 PM, Murray S. Kucherawy wrote: > On Wed, Apr 8, 2015 at 4:18 PM, John R Levine <jo...@taugh.com> wrote: > >> > Yeah, I can add a giant new MIME part of arbitrary spamminess and it'll >> > DKIM verify. Can someone explain in detail how a verifier is supposed to >> > use this new hack. Consider these two messages: >> > >> > a) has a one line trailer part saying >> > "for more information about foo list see http://foolist.org"; >> > >> > b) has a 50 line trailer explaining that my credit card has been cancelled >> > and I need to click on this malware link immediately. >> > >> > Both have a valid list-whatever signature. > Aren't you going to run them through your spam filter regardless, so the > nasty stuff will get caught anyway? > > Assuming the schemes in those drafts worked, both cases have a valid > list-whatever signature AND a valid author signature, AND you know the (a) > or (b) added bit is solely the responsibility of the list (and, conversely, > you also know where the original content starts and ends). Nobody's saying > it's safe in any case, but you do know who did what, and that's more than > we know today. > > -MSK Dear Murray,
What will knowing more about mailing-lists hope to solve? Why not define minimum recommendations for third-party services for avoiding mistaken assumptions made by DMARC which may result in valid messages being disrupted by reject or quarantine DMARC handling. Frankly, redefining DKIM will not solve DMARC's basic problem of confusing Author with Sender roles. The only reasonable course of action is to cede From Header field role redefinitions to DMARC based on pragmatic principles and find another header field less likely (ab)used by transactional messaging. Regards, Douglas Otis _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
