> -----Original Message----- > From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim- > boun...@mipassoc.org] On Behalf Of John R. Levine > Sent: Friday, April 23, 2010 9:39 AM > To: Ian Eiloart > Cc: ietf-dkim@mipassoc.org > Subject: Re: [ietf-dkim] Why mailing lists should strip DKIM signatures > > >> I sign all my outgoing mail, and I have a feedback loop set up with > >> Yahoo, which being very modern and advanced keys on signatures, not IP > >> addresses. A few days ago I sent some messages to one of the Freebsd > >> mailing lists. Today some Yahoo user who subscribes to that list hit > >> the spam button. Freebsd's list software (Mailman, I think) doesn't > >> sign, and doesn't strip any headers. So what happened? Yahoo saw my > >> signature and sent the reports to me, which was of course useless > >> since I don't run the list. > > > > Would this still be an issue if the lists were signing the outbound > mail? > > You'd hope that Yahoo would then send the feedback reports to the list > owner. > > Probably not. It depends if the list owner has an FBL of their own, which > small senders generally don't. > > > If that's the case, then the preferred behaviour must be to sign the > message, > > DKIM header included. > > The list should certainly sign, but the old signature has to go, since the > reputation of a list's mail belongs to the list, not the contributors. > > R's, > John
John raises an interesting question. It has been asserted that signing for a message is making an assertion of responsibility for it. In the example John provides, the DKIM signature survived intact (or did Yahoo send the report through the FBL based on a broken signature?). If John is making some assertion of responsibility for his message by signing, what is the limit of his responsibility as the message flows through the ecosystem? Where is the RFC that says his signature should be stripped? If the list stripped his signature and someone modified what he wrote is this a failure of DKIM or is it something else? What are we collectively (and individually) trying to achieve if we are signing the body and not just the headers? When the person hit the "this is SPAM" button were they referring to John's message or were they referring to mail from the list? How do we know? If there were more than one valid signature on the message where would Yahoo send the report? Where should Yahoo send the report? What if none of the signatures are "first party"? It has been asserted multiple times that multiple signatures are possible and perhaps even desirable. Just a few thoughts and questions on a Friday morning. Mike _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html