On 03/15/2006 21:51, Dave Crocker wrote: > Michael Thomas wrote: > > John Levine wrote: > >>> How does a receiver know the difference between a "mailer" and a > >>> "random third party"? > >> > >> It doesn't, and it doesn't care. It looks up the signing domain in > >> its handy local list of signers worth paying attention to. Maybe at > >> some future time there will also be external sources of worthy > >> signers, but that's way outside the scope of any discussion here. > > > > Which handy local list of signers is that? Where do I find Cisco's? > > Michael, > > The signature that you are so worried about preserving is only useful if > there is some database to consult, about it. > > That's the list John is referring to. > > So whatever you are planning to consult, after validating the originator's > signature, is what should be consulted after validating the list's > signature. > > In other words, a valid signature is a valid signature. An invalid > signature is an invalid signature. > > And, as I've raised many times, I do not understand the compulsion to > preserve a signature for a message that is re-posted by an automaton user > agent, when there is no equivalent expectation of preservation, for a > message that is manually re-posted -- such as when I forward a message on > to someone else. The architectural role is the same. The semantics are > the same. > > Mailing lists can do, and do do, whatever violence to a message they wish > and their subscribers find useful, because the mailing list agent is really > posting a new message, no matter how close it might seem to the original. > A small amount of hacking to make the close ones preserve the signature is > one thing. A large amount is quite another. So is attempting to declare > the ones making larger changes "wayward". > > It is not reasonable to try to declare that the ones doing small changes > are somehow acceptable but that the ones doing larger are not, since a) > there is no specification or established practice to justify that > declaration, and has been pointed out rather directly, b) such a > declaration will have no beneficial effect. > > So, as vigorously as you are arguing your position, I am not seeing how it > produces anything that will work in the real Internet. > > d/
This database that you insist is necessary for DKIM to be useful is pretty well by definition a reputation system. So, if as you say a DKIM signature has no value without a reputation system of some limited kind and reputation is out of bounds, I guess I don't understand what you think we are doing here? Scott Kitterman _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
