Barry Warsaw writes: > My own personal feeling is that having lists re-sign messages is the best > expectation to put forward. You're subscribed to a mailing list, so you > trust > that list much more than you trust the senders on that list.
But as Monica points out, sometimes you need to evaluate whether you trust the sender, because otherwise you need to trust *all* of the list's competence to evaluate senders, congruence of the list's trust policy with your own, *and* the honesty of the list's host adminstrators. > So having the mailing list site re-sign the outgoing messages seems > to me to be best practice. My inclination is that removing the > original author's signature first is not entirely inappropriate. But that doesn't work in the case in point, unless you also change the from field to reflect the list's domain. What do these DKIM-strict domains do with digests? Do they actually check the content (ie, individual messages) for source domain and verify their DKIM signatures? If not, just have those people who aren't getting messages turn on digest mode with maximum frequency. :-) Of course, all the phishers out there are reading this message, and will shortly be using this technique to phish gmail users, so you'll have to extend DKIM checks to the content of digests and forwards.... What really ought to be done is to format secured messages as multipart, and sign the overall header "From" and individual parts (perhaps identified by some kind of content ID). Then have the *MUA* (not the MTA!) check for alleged sender, and for highly-phishable alleged senders display *only* authenticated portions (plus maybe buttons to see unauthenticated content at user option). Dream on, Steve ... _______________________________________________ Mailman-Developers mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
