On 02/Sep/10 20:43, Murray S. Kucherawy wrote: > From: Alessandro Vesely [mailto:[email protected]] >> If this message were replayed to all mailboxes in the world, the >> number of complaints might be overwhelming; the more successful spam >> reporting, the more scaring this possibility. And if anyone uses that >> for tracking domain reputation, it might drop below small integer >> ranges. In such scenario, one may consider it safer to only sign mail >> destined to trusted recipients. > > Isn't reputation specifically out of scope though?
No, that's true for the /development/ of reputation systems. > I don't see that this is an issue this WG can address, unless we want to > tackle the issue of doing something DKIM-like at the connection level. In part, the issue is being addressed in draft-ietf-dkim-mailinglists already. I'm questioning whether we can get away with saying that a MLM "is /likely/ to invalidate any or all of" a message's signatures. Reputation considerations suggest that author domains may want MLMs to behave consistently in this respect. Crypto stuff at connection time is a different ongoing task, which may be useful in countering replay attacks in general. Joint signatures and From-%-rewriting are two easier and more specific techniques for describing how responsibility is transferred when a message transforms into another. I mentioned them in this thread because I deem they are worth being considered, each in its niche of suitable use cases. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
