On 04/30/2010 07:05 AM, McDowell, Brett wrote: > > In that scenario, if the MLM re-signing solution has been deployed by Y, and > DKIM+ADSP has been deployed by X& Z, and Z has chosen to take action on X's > ADSP policies... the only thing Z is trusting Y to do is validate incoming > DKIM signatures, re-sign the messages with its own DKIM signature, and pass > it along with the A-R results that convey what was done. Z is not trusting > everything and anything that might ever come through Y. > > I think that's a reasonable level of trust to expect mailbox providers to > have in mail lists who assert that they do this. Rogue mail lists will stop > being trusted but only after they have "lost" the trust that was granted to > them via their standards-based assertion (we would probably need to spec out > how a MLM advertises that they indeed conduct flows in this manner) that they > perform these functions on incoming mail. > > Again, I'm not saying this is the best or most elegant way of handling the > problem of properly authenticated mail not being able to traverse mail lists, > but it seems worthy of further discussion as an option.
Yeahbut... there are zillions of mailing lists out there. How do you know the good ones from the bad ones? Keep in mind, of course, that bad guys can resign too, and they can easily make themselves look like a mailing list if that's something that gives them advantage. If the solution is some sort of (third party) reputation/whitelist, then there's really not much for us to do, right? Even with your discardable adsp setting, it becomes a matter of the order of checks at the receiver's gate (eg, whitelist first, then adsp...) Mike _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html