On 4/29/10 6:06 PM, John Levine wrote: > I just don't see how you can simultaneously say "throw away unsigned > mail" and "don't throw away unsigned mail if a list says it used to > be signed" unless you have some way to identify trustworthy lists.
Agreed. People might trust authentications of a From domain based upon valid Author Signatures, but they should not trust From domains based upon A-R header indications of previous Author Signatures without knowing how the A-R headers were processed. Any assumption of proper processing would permit simple exploits and invite abuse. Those most interested in determining proper A-R header processing by third-parties would be those with an interest in protecting their recipients, such as financial institutions. > But once you know that a list is trustworthy, why wouldn't you just > accept all its mail? I just don't see a plausible scenario where you > you know you trust the list but still want to accept or reject mail > based on assertions the list itself makes. Not all mailing-lists will remove A-R headers. One misleading A-R header from a normally acceptable mailing-list promoting inappropreate trust could be replayed in a spam campaign. Such messages would be difficult to reject and might lead to inappropriate annotations. Who should be expected to retain audits of A-R header handling? -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html