Franck Martin wrote: > Silly question (?): > > Knowing that many mailing lists add [topic] at the beginning of the Subject > line, > what if DKIM was set to ignore that part when signing/verifying? > > Would it help to solve the problem of broken signature thru mailing lists? > > I realize the issue would be to also detect the add footer, but if I recall > you can specify in dkim to sign only a certain length of the body and not > the whole body.
So are you proposing changes or a BCP for DKIM signing and verification? DKIM Signer Tips: - When signing messages targeted for a mailing list, you MAY consider using the l= tag to increase the survival rate of the message list distribution when a list footer as the only change to the body integrity. SECURITY NOTE: Please keep in mind there are replay exploits potentials with l= body length usage. DKIM Verifier Tips: - If a signature fails to validate, you MAY consider retesting to see if the failure was related to a subject line modified with [LIST-NAME] tag. Strip the tag and retest. You might also check if the z= tag is available with the original Subject: header value But what about the other passive MLS-based mail tampering abeit industry-acceptable change options possible such stripping attachments, stripping HTML mime parts? For our MLS software DKIM integration, I followed the expired DSAP proposed recommendations to first make sure there are no POLICY based restrictions and to exclude list membership for these domains. An example can be seen at this subscription page showing the ADSP Restriction warning: http://www.winserver.com/public/code/html-subscribe?list=list-dkim Try subscribing with any ADSP restricted domain email address, such as my test CatInTheBox.Net domain which has a DNS ADSP TXT record DKIM=DISCARDABLE and you will see a subscription deny response. But once the member is allowed, we are doing the basic list submission mechanics of: - Verify original signature(s), - Add verification results with A-R header(s), - Modify/prepare message based on list option, which include - Strip original signature(s), - Resign with signer domain defined for the list, - Perform Distribution, there is no expectation of DKIM-related failure related to ADSP policies or related to broken original signatures. One of the outcomes this was the suggestion of a new list option that basically offers an option such as: [_] Keep Original Mail Integrity I like the idea because it is really a DKIM independent concept to offer list distribution features that are not alter list mail in any way. But in a new DKIM aware mail environment, this "no mail tampering" list option can apply very well for a list with resigning or no resigning scenarios where retaining original mail signature(s) are desired. The only change when resigning is the creation of a new signature which technically should not fail a DKIM verifier. The main point I would like to stress is that we really need to begin to make DKIM something that is WORTH processing with well established conditions for GOOD and BAD mail filtering and reduced all the constant fuzzy mail designs that only continue to produce indeterminate results. All that means is that if a domain is really seriously concern about its DKIM signed mail survivability and minimize all failures then the domain should avoid submitting these domain messages to "Meat Grinders" such as a MLS well known to operate with industry-accepted mail tampering features. Higher survivability can only begin to occur as the MLS software are made DKIM aware. I suggest there will continue exist older legacy software and most likely for many years. But new or old, you will always need to be aware of the list operating behavior and what it does for DKIM directly or indirectly. In all cases, you are just putting your domain, brand and reputation at risk if you sign your mail with an expectation they will have a high survivability rate. IMV, the reason there is seems to be a continue aura of unsureness for DKIM is because we still have many failure conditions the DKIM Signer Domain Assessment model can not address. It doesn't even address the NO SIGNATURE scenario. So we left with limited DKIM utility where the only message to consider is one DKIM signed by a trusted source. Anything else has an indeterminate status. All that means is I don't think it helps domain if it is going to go against this GOOD MAIL only idea by submitting signed mail to a list expecting it to survive when there is no current way to know what that list is going to do and the odds are very high it will break your original integrity. At best, is for the author domain to be aware that list signer domain will take responsible for your copyrighted message by resigning it. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html