On Tue, Aug 25, 2020 at 5:03 AM Alessandro Vesely <ves...@tana.it> wrote:
> On Mon 24/Aug/2020 19:24:03 +0200 John Levine wrote: > > In article <CAL0qLwaip0fzXpqnK=XTcEELZRat_gnjuEGZYj= > 8qgy3wky...@mail.gmail.com> you write: > >>> If the intermediary DKIM signs the modified message with their own > >>> signature, that provides some assurance to the receiver. > >> > >> You mean like > https://tools.ietf.org/html/draft-levine-dkim-conditional-00? > >> > >> I'm pretty sure that got implemented too, but I can't recall now if it > ever shipped. > > > > I don't think it ever did. It has the scaling problem of every system > that sends to mailing lists > > having to decide what mail it's willing to have re-signed and what > domain the second signature > > will use. Usually it's the domain name of the list except when it's not. > > > Right. The only practical implementation I see is that the sender has > a list of recipient addresses that require weak signatures. When it > is about to send a message destined to a listed address, it can fork > the message so that the weakly signed copy is sent to the (trusted) > list address only. Any direct copy is signed in full. > > To configure that, a postmaster would need an application by the list. > Something saying "your users A, B, and C are subscribed to list X, > please sign weakly". The postmaster would then verify if A, B, and C > are trusted users and if they confirm to be subscribed to X. In that > case, the address of X gets enlisted. Would that scale? > > > Best > Ale > -- > Under my concept, all mail would still be signed in full. The weak signature would be in addition to the full signature and the intermediary would be expected to sign in full as well. If the original full signature is broken you are left with the original "weak signature" which authorizes the intermediary and the full signature of the intermediary. I would expect there to be multiple potential approaches to identifying acceptable intermediaries. One might be user self enrollment. For larger organizations it might be intermediary application/approval. A 3rd approach might be a trusted 3rd party providing lists of known intermediaries. This would be separate from the core signing RFC, whether it is part of DMARC or a separate document. Michael Hammer.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
