A re-signing scheme also has to have some mechanism for deciding which
third parties get the endorsement ("@fs=") from the author domain. One
might think of that as a "registry" with similar problems to those we've
been discussing, but it's just an entirely private one. So I'm not sure we
can plainly say registries are off the table, because you always have to
have some way to decide whether to affirm the relationship. It's a matter
of the method by which you do so.
Yeah. I think there's a general rule in there, but it's subtle. It's
clear that a whitelist that resenders sign up for won't work, largely
because any such list big enough to be interesting is also big enough to
have entries that don't belong on it (Marx' Rule, see *). It's less clear
what the rule should be for private white or other lists.
For the current question of a private list of mailing lists that get
special treatment on outgoing mail, it still seems to me that small
systems can just allow double signing for everything, and large systems
can come up with a pretty good list of their own from a combination of
their own incoming mail and the DMARC aggregate reports. The reports will
tell you what IPs are sending mail with a combination of your own DKIM
signature (valid or broken) and a second signature, so if a host is doing
that, and the IP's reputation is not awful, the second signature is an
excellent candidate for that list.
I have about 35,000 aggregate reports here, should do a little data mining
and see how well it works.
R's,
John
* - http://www.brainyquote.com/quotes/quotes/g/grouchomar122546.html
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
