Re: [ietf-dkim] Broken signatures, was Why mailing lists should strip them
-Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim- boun...@mipassoc.org] On Behalf Of Alessandro Vesely Sent: Thursday, April 29, 2010 10:55 PM To: ietf-dkim@mipassoc.org Subject: Re: [ietf-dkim] Broken signatures, was Why mailing lists should strip them Yet, it would seem that by, say, hashing just invariants of binary representations of the first entity, e.g. discarding its white space and punctuation, one may reach very high percentages of unbroken retransmission. This sounds like what DomainKeys (RFC4870) called nofws canonicalization, which was discarded in favour of what is now relaxed in DKIM. I don't specifically recall the reasons now but I'm sure they're in the archives if someone else cares to dig that far back. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion
On 4/29/10 6:06 PM, John Levine wrote: I just don't see how you can simultaneously say throw away unsigned mail and don't throw away unsigned mail if a list says it used to be signed unless you have some way to identify trustworthy lists. Agreed. People might trust authentications of a From domain based upon valid Author Signatures, but they should not trust From domains based upon A-R header indications of previous Author Signatures without knowing how the A-R headers were processed. Any assumption of proper processing would permit simple exploits and invite abuse. Those most interested in determining proper A-R header processing by third-parties would be those with an interest in protecting their recipients, such as financial institutions. But once you know that a list is trustworthy, why wouldn't you just accept all its mail? I just don't see a plausible scenario where you you know you trust the list but still want to accept or reject mail based on assertions the list itself makes. Not all mailing-lists will remove A-R headers. One misleading A-R header from a normally acceptable mailing-list promoting inappropreate trust could be replayed in a spam campaign. Such messages would be difficult to reject and might lead to inappropriate annotations. Who should be expected to retain audits of A-R header handling? -Doug ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion
--On 29 April 2010 10:58:44 -0600 McDowell, Brett bmcdow...@paypal.com wrote: On Apr 28, 2010, at 2:11 PM, John R. Levine wrote: Your proposal that MLM remove Signatures would cause restrictive policies to fail. Which is why I oppose this proposal. Indeed. I'm assuming that any list that paid attention to ADSP would sign its outgoing mail and would expect its recipients to trust it enough to whitelist the list's mail. That's quite an assumption. I would not make that same assumption as we chart out new/better mechanisms for MLM's to handle DKIM-signed mail. It will be true in some cases, and false in others. All for valid reasons we should seek to account for. An MLM in receipt of a properly signed message from a domain with ADSP policy discard has a few options: 1. Forward the message to the distribution list unaltered, such that the signature remains intact. This might surprise some recipients, and may be an exception to normal list policy. On the other hand, it might be feasible if the list normally doesn't alter the subject or body. 2. Break the signature, and forward the message in the knowledge that recipients may discard it. 3. Break the signature, then discard the message. 4. Bounce the message, on the grounds that it may not be deliverable once the signature is broken. The DKIM signature should mean that it's safe to bounce the message back without risking collateral spamming, at least when the return path is in the same domain as the From: header. 5. Reject the message at SMTP time, with an appropriate 5xx error code. Similar to above. Safer when the return path domain doesn't match the from address domain. I don't think I like (2) and (3). -- Ian Eiloart IT Services, University of Sussex 01273-873148 x3148 For new support requests, see http://www.sussex.ac.uk/its/help/ ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion
--On 29 April 2010 11:39:52 -0700 Powers, Jot jpow...@paypal.com wrote: ... What I'd advise is something like put all of your transactional mail in a subdomain and set it to discardable, but don't do that to all your corpro users. There are other ways to go about this, but I'd say that you're playing with fire lumping all your stuff together as it appears that you're doing now. For non-obvious reasons it would be easier to do it the other way. Make corp come from a subdomain and change the policy there and keep transactional as paypal.com. I can think of a few reasons, to do with mail volumes, numbers of recipients, the value of transactional messages to the business, and the fact that everything's currently set up right for transactional messages. Why risk breaking them! -- Ian Eiloart IT Services, University of Sussex 01273-873148 x3148 For new support requests, see http://www.sussex.ac.uk/its/help/ ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion
--On 30 April 2010 01:06:15 + John Levine jo...@iecc.com wrote: I just don't see how you can simultaneously say throw away unsigned mail and don't throw away unsigned mail if a list says it used to be signed unless you have some way to identify trustworthy lists. But once you know that a list is trustworthy, why wouldn't you just accept all its mail? I just don't see a plausible scenario where you you know you trust the list but still want to accept or reject mail based on assertions the list itself makes. How about you trust the list, and it says the inbound message wasn't signed? The list has left the value judgement to the recipient. -- Ian Eiloart IT Services, University of Sussex 01273-873148 x3148 For new support requests, see http://www.sussex.ac.uk/its/help/ ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Wrong Discussion - was Why mailing lists should strip DKIM signatures
--On 28 April 2010 11:02:53 -0400 MH Michael Hammer (5304) mham...@ag.com wrote: A few thoughts to fuel the discussion: 1) It may be that the BCP document would appropriately have a section for end users of mail lists. One possible recommendation is that for domains which have strong security concerns, they may want to have a policy against posting to lists using the domain in question. (I'm throwing this out as a straw man). Yep, I'd suggest sections for MLM site owners, MLM list managers (who may not have access to MTA configuration), list mail posters, and list mail recipients. 2) One possible recommendation to list managers is that if a message to the list is DKIM signed AND has an ADSP discardable policy AND the signature cannot be maintained intact then the list should bounce the message. +1 3) Is there a way for us (perhaps in a future version) to provide for some sort of encapsulation that will allow the original signature/message to be maintained even as the list does certain (as yet unspecified) actions which might currently break the signature? Just blue skying here. I guess you could attach the entire original message to the message that you're generating. In fact, the list could just send a message saying This was posted to the list, preserving the subject line, I guess. I don't know how that would look in various mail clients 4) I recognize the chorus which says mail lists have always done things a certain way and who are you to tell us how or what we have to do. Having given that recognition, in creating an authentication model it seems self defeating not to provide mechanisms for the authentication to survive things like maillists (for those maillists/software providers willing to adopt whatever we come up with). Those lists which have always done thigns a certain way and wish to continue could do so - no harm no foul. Mike ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html -- Ian Eiloart IT Services, University of Sussex 01273-873148 x3148 For new support requests, see http://www.sussex.ac.uk/its/help/ ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Wrong Discussion - was Why mailing lists should strip DKIM signatures
--On 28 April 2010 08:23:52 -0700 Dave CROCKER d...@dcrocker.net wrote: On 4/28/2010 8:02 AM, MH Michael Hammer (5304) wrote: A few thoughts to fuel the discussion: 1) It may be that the BCP document would appropriately have a section for end users of mail lists. One possible recommendation is that for domains which have strong security concerns, they may want to have a policy against posting to lists using the domain in question. (I'm throwing this out as a straw man). Are you suggesting a bit of draft text that recipient sites might include in the email practices documentation they supply to the (human) users? 2) One possible recommendation to list managers is that if a message to the list is DKIM signed AND has an ADSP discardable policy AND the signature cannot be maintained intact then the list should bounce the message. What is the particular benefit of doing this, rather than letting the receiving site do the bouncing? This is extra mechanism for the MLM, and most MLMs won't be supporting it. I'm trying to get a clear sense of the value proposition for this. The receiving site would bounce to the list. The message ought to be bounced to the original sender, who (with adsp=discard) probably doesn't want messages redistributed, and should be informed of the problem. Certainly *my* MTA/MLM setup (Exim/Mailman) can be configured to do this. In fact, Exim could be configured to do this with any MLM behind it. 3) Is there a way for us (perhaps in a future version) to provide for some sort of encapsulation that will allow the original signature/message to be maintained even as the list does certain (as yet unspecified) actions which might currently break the signature? Just blue skying here. I think you are raising the (much) larger question of constraining the nature of changes made by MLMs. Since the are actually posting an entirely new message, they have the legitimate freedom to do what they want to it. However, some can choose to participate in that much more constrained role, looking more like a relaying MTA than a modifying intermediary. 4) I recognize the chorus which says mail lists have always done things a certain way and who are you to tell us how or what we have to do. Having given that recognition, in creating an authentication model it Strictly speaking, DKIM does not authenticate any part of the message, othe than the d= parameter. I realize that this is an irritating observation, but it is semantically precise and accurate. Absent the presence of ADSP usage, assuming that anything else is authenticated goes beyond the DKIM specification. d/ -- Ian Eiloart IT Services, University of Sussex 01273-873148 x3148 For new support requests, see http://www.sussex.ac.uk/its/help/ ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion
On Thu, 29 Apr 2010 21:12:02 +0100, SM s...@resistor.net wrote: At 11:12 29-04-10, Michael Thomas wrote: With respect to DKIM, anybody who filters based on broken signatures without any (or little) other input pretty much deserves the false positive rate they're complaining about. This mailing list removes the DKIM signature of the poster. ... and that is precisely the cause of the problem. Nobody should EVER remove a signaturre (unless it was one they wrote themselves). The correct procedure is to add an Authentication-Results to say that the signature was good on arrival (assuming it was). Ideally, it should then be resigned (with the A-R included in the signature). Then the recipient has some evidence to assist in his evaluation. In fact, the changes made by this list are easily reversible, if someone wants to try to reverse them and check the original signature. But he cannot do that with a signature that has been removed. -- Charles H. Lindsey -At Home, doing my own thing Tel: +44 161 436 6131 Web: http://www.cs.man.ac.uk/~chl Email: ...@clerew.man.ac.uk snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Wrong Discussion - was Why mailing lists should strip DKIM signatures
Could you explain what you mean by forge and legitimate? You appear to be saying that mailing lists are doing something sleazy and illegitimate by doing what they've done for the past 40 years, which seems implausible. That is exactly what I'm saying. http://en.wikipedia.org/wiki/Asbestos So, if I understand you correctly, when the AARP e-pends an address for me and sends me spam, it's legitimate because they're spamming from their own domain, but when you get mail from the DKIM list you've signed up for it's not. Wow. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies, Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor More Wiener schnitzel, please, said Tom, revealingly.___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Broken signatures, was Why mailing lists should strip them
On 30/Apr/10 08:50, Murray S. Kucherawy wrote: boun...@mipassoc.org] On Behalf Of Alessandro Vesely Sent: Thursday, April 29, 2010 10:55 PM Yet, it would seem that by, say, hashing just invariants of binary representations of the first entity, e.g. discarding its white space and punctuation, one may reach very high percentages of unbroken retransmission. This sounds like what DomainKeys (RFC4870) called nofws canonicalization, which was discarded in favour of what is now relaxed in DKIM. Not exactly, removing punctuation would also take lines beginning with from. For the body, we could peek any suitable baseline tokenization and hash its results. I don't specifically recall the reasons now but I'm sure they're in the archives if someone else cares to dig that far back. The reason is meticulous security, which makes mailing lists' contents sleazy and illegitimate. One is http://mipassoc.org/pipermail/ietf-dkim/2005q3/02.html (the previous part of the discussion is in some other archive or lost, but much text can be read in the quoted part of the message.) It exemplifies Amoeba yeast to Amo ebay east Another good summary of the driving thoughts is given in http://mipassoc.org/pipermail/ietf-dkim/2006q3/004416.html (while discussing whether to keep body- relaxed.) It exemplifies --boundary Content-Type: image/jpeg Content-Transfer-Encoding: base64 to --boundary Content-Type: image/jpegContent-Transfer-Encoding: base64 ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Broken signatures, was Why mailing lists should strip them
In article 4bda70b5.4090...@tana.it you write: On 29/Apr/10 01:12, SM wrote: The diversity of the email environment is such that you cannot come up with a mellowed canonicalization to cope with every possible change. Yet, it would seem that by, say, hashing just invariants of binary representations of the first entity, e.g. discarding its white space and punctuation, one may reach very high percentages of unbroken retransmission. It sounds like you want to experiment with different canon schemes for DKIM, rather than the two that exist now. Wouldn't that be more appropriate for ASRG? R's, John ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion
Then the recipient has some evidence to assist in his evaluation. In fact, the changes made by this list are easily reversible, if someone wants to try to reverse them and check the original signature. But he cannot do that with a signature that has been removed. Huh? If we could write down the changes that lists make to the mail they send, we would have done so. My list managers have been known to remove or reorder MIME parts and flatten HTML into text. I even run some quaint lists where the editor hand-edits the messages. No, those aren't illegitimate, they're standard practice and have been for decades. R's, John ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Wrong Discussion - was Why mailing lists should strip DKIM signatures
On Fri, Apr 30, 2010 at 7:48 AM, John R. Levine jo...@iecc.com wrote: Could you explain what you mean by forge and legitimate? You appear to be saying that mailing lists are doing something sleazy and illegitimate by doing what they've done for the past 40 years, which seems implausible. That is exactly what I'm saying. http://en.wikipedia.org/wiki/Asbestos So, if I understand you correctly, when the AARP e-pends an address for me and sends me spam, it's legitimate because they're spamming from their own domain, putting aside why they are sending you an email or how they got the email address, in this case the message comes from AARP unmodified. It is FROM AARP. but when you get mail from the DKIM list you've signed up for it's not. Wow. mail _from_ a mailing list is not the original message anymore. I know this isn't a popular opinion. Just because something has been done someway for 40 years doesn't make it right. Thus my link to asbestos. -- Jeff Macdonald Ayer, MA ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion
On Fri, Apr 30, 2010 at 5:38 AM, Ian Eiloart i...@sussex.ac.uk wrote: --On 30 April 2010 01:06:15 + John Levine jo...@iecc.com wrote: I just don't see how you can simultaneously say throw away unsigned mail and don't throw away unsigned mail if a list says it used to be signed unless you have some way to identify trustworthy lists. But once you know that a list is trustworthy, why wouldn't you just accept all its mail? I just don't see a plausible scenario where you you know you trust the list but still want to accept or reject mail based on assertions the list itself makes. How about you trust the list, and it says the inbound message wasn't signed? The list has left the value judgement to the recipient. How does one do that if using an email web service provider that puts the message into the spam folder without giving the recipient a choice? -- Jeff Macdonald Ayer, MA ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Wrong Discussion - was Why mailing lists should strip DKIM signatures
On 4/29/2010 2:04 PM, Jeff Macdonald wrote: On Wed, Apr 28, 2010 at 11:23 AM, Dave CROCKERd...@dcrocker.net wrote: I think you are raising the (much) larger question of constraining the nature of changes made by MLMs. Since they [sic] are actually posting an entirely new message, and forging the From address It's not forged: to imitate fraudulently http://dictionary.reference.com/browse/forge The use of that word, for this situation, is simply incorrect. And the retention of the original posting's From: string is quite simply valid. The fact that it is causing a problem for some add-on technologies does not, post hoc, render the string invalid. they have the legitimate freedom to do what they want to it. is it really legitimate in today's world? Yes. Until the community develops, adopts and uses some alternative model, retention of the original posting's From: string has specific meaning that remains essential for mailing list semantics. However, some can choose to participate in that much more constrained role, looking more like a relaying MTA than a modifying intermediary. DKIM should be able to survive that. And there should be world peace. Our sharing such a wish does not, post hoc, render the string invalid. d/ ps. DKIM /can/ survive that. Merely use l=0 and hash only the From: field or perhaps From: and Date: or perhaps... The fact that the community considers that alternative inadequate is understandable, but again, this add-on technology (DKIM) does not have the right to come in and declare well-established existing practice invalid. -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Wrong Discussion - was Why mailing lists should strip DKIM signatures
On 4/30/2010 3:16 AM, Ian Eiloart wrote: 2) One possible recommendation to list managers is that if a message to the list is DKIM signed AND has an ADSP discardable policy AND the signature cannot be maintained intact then the list should bounce the message. What is the particular benefit of doing this, rather than letting the receiving site do the bouncing? This is extra mechanism for the MLM, and most MLMs won't be supporting it. I'm trying to get a clear sense of the value proposition for this. The receiving site would bounce to the list. As John has reminded us, this is not about a bounce message. Rather, it concerns an independent report, sent to an independently-registered address. Certainly *my* MTA/MLM setup (Exim/Mailman) can be configured to do this. In fact, Exim could be configured to do this with any MLM behind it. What are the procedures for having this configuration cause FBL reports go to an address that is different from the one registered in the FBL? d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Why mailing lists should strip DKIM signatures
This isn't really a reply. It's a comment that Steve's note was sent a week ago and I'm frankly impressed that it has received no replies, since it contains the most salient observations about the current problem being discussed I've seen. I've included all of its body in this posting, in the hope that folks will read it again more carefully. d/ On 4/23/2010 10:06 AM, Steve Atkins wrote: On Apr 23, 2010, at 9:41 AM, John Levine wrote: There's no new semantics, deep or othterwise. Yahoo is treating the signature as an assertion of responsibility -- it has my signature, the recipient complained about it, they have reason to think I'm not evil, so they sent me the complaint. All that is fine, but the problem is that for list mail, I'm not the one who can do anything about it. In this particular case, for you, that's true. It's not true in general. Mike asked how one could tell whether this was a complaint about all mail from the list, or just mail from me. I have my suspicions, but I have no way to tell. The only party who can is the human or mechanical list manager who can look the pattern of complaints and figure out the person is complaining about all the mail from the list, in which case they should unsub him, or he's just comnplaining about mail from me, in which case they might want to kick me off the list if they agree with the complaints. If a list adds its own signature and leaves the contributor's, now it's up to heuristics by the recipient to guess what to do. The recipient can use heuristics, if that works for them, but it's not the only option. For list mail, the correct guess is to treat the list as responsible. Often. Maybe even usually. But not in all cases. As one theoretical example, if I compromise a webmail provider and use accounts there to sign up for yahoo groups mailing lists, then send spam to them, then the webmail provider is going to want to know about it. Or if I get a b-tard infestation trolling mailing lists I'll want to know about it. Wouldn't it be a better idea to avoid the guessing? Yes, by notifying all the responsible parties who have set up a DKIM based FBL and who have valid DKIM signatures on the message. Part of the overhead of handling an FBL is to decide which reports to pay attention and which aren't. In your case you'd (probably) want to ignore any reports about mail sent from your legitimate users via mailing lists, via some heuristic that works for you. But you're the only one who can make that decision, so you can't push that decision off on to Yahoo or mailing list providers in general. I don't want them to make the decision to not send reports to responsible parties who do want the reports and can handle them. It's not too hard for anyone handling inbound FBL streams to categorize them mechanically, and automate their policies to ignore reports they believe are irrelevant, so the overhead for this sort of FBL report is low. If the mailing list manager strips signatures, they lose a source of data and don't get to make that decision. (As for reputation - a big part of reputation is the content that is sent. If a particular list subscriber consistently sends mail that other list subscribers complain about then it's not unreasonable that that may damage the reputation of that particular list subscriber as well as that of the list.) Cheers, Steve ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion
On Apr 29, 2010, at 9:06 PM, John Levine wrote: I just don't see how you can simultaneously say throw away unsigned mail and don't throw away unsigned mail if a list says it used to be signed unless you have some way to identify trustworthy lists. Precisely! The key phrase being unless you have some way to identity trustworthy lists But once you know that a list is trustworthy, why wouldn't you just accept all its mail? We need to be precise about what we mean by trustworthy. Even if I have some way to identify trustworthy lists as you put it above, I have to be very clear about what I'm actually trusting that list to do. Let's go back to the use case I drafted in response to Murray's report that introduced the MLM re-signing option. That's interesting. Let's make this concrete... I'll use myself as an example. X = me/PayPal.com Y = this list/ietf-dkim@mipassoc.org Z = Google's Gmail service [1] It is my assumption that someone subscribed to this list has a gmail.com account (or a Yahoo.com account [2]). Therefore, my use case is simple. I would hope that those of you reading this from your Gmail or Yahoo! accounts actually receive this message. If Z breaks the signature, you won't see this. So if it simply isn't practical to expect lists to maintain the signature, then offering the option for the list to validate the signature coming from X and send a new signature to Z that Z *can* (but doesn't have to) trust, is something immediately useful. In that scenario, if the MLM re-signing solution has been deployed by Y, and DKIM+ADSP has been deployed by X Z, and Z has chosen to take action on X's ADSP policies... the only thing Z is trusting Y to do is validate incoming DKIM signatures, re-sign the messages with its own DKIM signature, and pass it along with the A-R results that convey what was done. Z is not trusting everything and anything that might ever come through Y. I think that's a reasonable level of trust to expect mailbox providers to have in mail lists who assert that they do this. Rogue mail lists will stop being trusted but only after they have lost the trust that was granted to them via their standards-based assertion (we would probably need to spec out how a MLM advertises that they indeed conduct flows in this manner) that they perform these functions on incoming mail. Again, I'm not saying this is the best or most elegant way of handling the problem of properly authenticated mail not being able to traverse mail lists, but it seems worthy of further discussion as an option. I just don't see a plausible scenario where you you know you trust the list but still want to accept or reject mail based on assertions the list itself makes. Does the use case I've articulated above make sense? -- Brett ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion
On Apr 30, 2010, at 5:30 AM, Ian Eiloart wrote: --On 29 April 2010 10:58:44 -0600 McDowell, Brett bmcdow...@paypal.com wrote: On Apr 28, 2010, at 2:11 PM, John R. Levine wrote: Your proposal that MLM remove Signatures would cause restrictive policies to fail. Which is why I oppose this proposal. Indeed. I'm assuming that any list that paid attention to ADSP would sign its outgoing mail and would expect its recipients to trust it enough to whitelist the list's mail. That's quite an assumption. I would not make that same assumption as we chart out new/better mechanisms for MLM's to handle DKIM-signed mail. It will be true in some cases, and false in others. All for valid reasons we should seek to account for. An MLM in receipt of a properly signed message from a domain with ADSP policy discard has a few options: 1. Forward the message to the distribution list unaltered, such that the signature remains intact. This might surprise some recipients, and may be an exception to normal list policy. On the other hand, it might be feasible if the list normally doesn't alter the subject or body. 2. Break the signature, and forward the message in the knowledge that recipients may discard it. 3. Break the signature, then discard the message. 4. Bounce the message, on the grounds that it may not be deliverable once the signature is broken. The DKIM signature should mean that it's safe to bounce the message back without risking collateral spamming, at least when the return path is in the same domain as the From: header. 5. Reject the message at SMTP time, with an appropriate 5xx error code. Similar to above. Safer when the return path domain doesn't match the from address domain. I don't think I like (2) and (3). I think this helps frame the discussion. It's highly related to Steve's post that Dave so rightly re-posted for re-consideration. People on this list are advocating various options, but oddly enough I think this is the first post on the thread that tried to summarize all options. FWIW, I don't like #2 or #3 either. There's been some debate on this list regarding option #1 and it seems to be a non-starter for MLM operators. Actually, I've recently been joining a lot of new mail lists and some are configured like option #1 and I cannot stand them as a user. So I'd say option #1 might be an elegant/simple solution but I personally wouldn't want to see mail lists behave this way. Options #4 and #5 seem closely related to what Steve was advocating when he brought up the value and role of FBL's could play in the original use case which John L. provided (before I threw in my use case in reaction to Murray's report on MLM re-signing discussions at IETF 77). I think they are all related because they all seem to fall into the category of I, the MLM, am not going to deliver the mail, but I'm going to provide some failure information to the appropriate parties in the most useful form I can. From Steve's message: snip Wouldn't it be a better idea to avoid the guessing? Yes, by notifying all the responsible parties who have set up a DKIM based FBL and who have valid DKIM signatures on the message. Part of the overhead of handling an FBL is to decide which reports to pay attention and which aren't. In your case you'd (probably) want to ignore any reports about mail sent from your legitimate users via mailing lists, via some heuristic that works for you. But you're the only one who can make that decision, so you can't push that decision off on to Yahoo or mailing list providers in general. I don't want them to make the decision to not send reports to responsible parties who do want the reports and can handle them. It's not too hard for anyone handling inbound FBL streams to categorize them mechanically, and automate their policies to ignore reports they believe are irrelevant, so the overhead for this sort of FBL report is low. If the mailing list manager strips signatures, they lose a source of data and don't get to make that decision. (As for reputation - a big part of reputation is the content that is sent. If a particular list subscriber consistently sends mail that other list subscribers complain about then it's not unreasonable that that may damage the reputation of that particular list subscriber as well as that of the list.) Cheers, Steve /snip I think the role of DKIM FBL's needs to be discussed more on the list. Not only does it directly impact the first use case John L. introduced, but it could add a dimension to the second use case (X-Y-Z) that's been overlooked thus far. Option #6: I don't think this summary captures the MLM re-signing option Murray and I have been somewhat advocating for. So I want to get that on the table in this summary. -- Brett ___ NOTE WELL: This list operates according to
Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion
On 04/30/2010 07:05 AM, McDowell, Brett wrote: In that scenario, if the MLM re-signing solution has been deployed by Y, and DKIM+ADSP has been deployed by X Z, and Z has chosen to take action on X's ADSP policies... the only thing Z is trusting Y to do is validate incoming DKIM signatures, re-sign the messages with its own DKIM signature, and pass it along with the A-R results that convey what was done. Z is not trusting everything and anything that might ever come through Y. I think that's a reasonable level of trust to expect mailbox providers to have in mail lists who assert that they do this. Rogue mail lists will stop being trusted but only after they have lost the trust that was granted to them via their standards-based assertion (we would probably need to spec out how a MLM advertises that they indeed conduct flows in this manner) that they perform these functions on incoming mail. Again, I'm not saying this is the best or most elegant way of handling the problem of properly authenticated mail not being able to traverse mail lists, but it seems worthy of further discussion as an option. Yeahbut... there are zillions of mailing lists out there. How do you know the good ones from the bad ones? Keep in mind, of course, that bad guys can resign too, and they can easily make themselves look like a mailing list if that's something that gives them advantage. If the solution is some sort of (third party) reputation/whitelist, then there's really not much for us to do, right? Even with your discardable adsp setting, it becomes a matter of the order of checks at the receiver's gate (eg, whitelist first, then adsp...) Mike ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Wrong Discussion - was Why mailing lists should strip DKIM signatures
--On 30 April 2010 06:00:50 -0700 Dave CROCKER d...@dcrocker.net wrote: On 4/30/2010 3:16 AM, Ian Eiloart wrote: 2) One possible recommendation to list managers is that if a message to the list is DKIM signed AND has an ADSP discardable policy AND the signature cannot be maintained intact then the list should bounce the message. What is the particular benefit of doing this, rather than letting the receiving site do the bouncing? This is extra mechanism for the MLM, and most MLMs won't be supporting it. I'm trying to get a clear sense of the value proposition for this. The receiving site would bounce to the list. As John has reminded us, this is not about a bounce message. Rather, it concerns an independent report, sent to an independently-registered address. I was responding to the question quoted. I guess it's tangential to the original question that started the thread. Certainly *my* MTA/MLM setup (Exim/Mailman) can be configured to do this. In fact, Exim could be configured to do this with any MLM behind it. What are the procedures for having this configuration cause FBL reports go to an address that is different from the one registered in the FBL? d/ -- Ian Eiloart IT Services, University of Sussex 01273-873148 x3148 For new support requests, see http://www.sussex.ac.uk/its/help/ ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion
On Apr 30, 2010, at 10:23 AM, Michael Thomas wrote: On 04/30/2010 07:05 AM, McDowell, Brett wrote: In that scenario, if the MLM re-signing solution has been deployed by Y, and DKIM+ADSP has been deployed by X Z, and Z has chosen to take action on X's ADSP policies... the only thing Z is trusting Y to do is validate incoming DKIM signatures, re-sign the messages with its own DKIM signature, and pass it along with the A-R results that convey what was done. Z is not trusting everything and anything that might ever come through Y. I think that's a reasonable level of trust to expect mailbox providers to have in mail lists who assert that they do this. Rogue mail lists will stop being trusted but only after they have lost the trust that was granted to them via their standards-based assertion (we would probably need to spec out how a MLM advertises that they indeed conduct flows in this manner) that they perform these functions on incoming mail. Again, I'm not saying this is the best or most elegant way of handling the problem of properly authenticated mail not being able to traverse mail lists, but it seems worthy of further discussion as an option. Yeahbut... there are zillions of mailing lists out there. How do you know the good ones from the bad ones? Keep in mind, of course, that bad guys can resign too, and they can easily make themselves look like a mailing list if that's something that gives them advantage. Indeed. But mailbox providers all have their own secret sauce for figuring out reputation of senders that I believe they could apply to this new flavor of sender -- meaning MLM's who adopt the MLM-DKIM spec we seem to be debating the virtues of developing -- without too much overhead. If the solution is some sort of (third party) reputation/whitelist, then there's really not much for us to do, right? I think we still need this spec I'm starting to refer to as MLM-DKIM to specify both the proper way of conducting this re-signing reporting practice and how the MLM advertises that they follow it. Even with your discardable adsp setting, it becomes a matter of the order of checks at the receiver's gate (eg, whitelist first, then adsp...) But since mailbox providers already manage reputation at scale, how much of a burden is adding this bit to the mix? Remember this only affects mailbox providers who have decided to do DKIM blocking based on ADSP discardable policies (for some, if not all senders). ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion
--On 30 April 2010 08:02:44 -0400 John R. Levine jo...@iecc.com wrote: I just don't see a plausible scenario where you you know you trust the list but still want to accept or reject mail based on assertions the list itself makes. How about you trust the list, and it says the inbound message wasn't signed? The list has left the value judgement to the recipient. I've been using mailing lists for 35 years, and I cannot recall any where the list manager threw up his hands and didn't manage the list's contents. I don't think that's what I'm saying. Currently lists don't do much to authenticate senders. I don't think it's implausible that a recipient might have stricter rules than a list manager. It might be unusual, I suppose. The conceptual model of mailing lists has been consistent for decades: the list picks mail to pass along using whatever manual or automated process it uses, and subscribers accept the mail the list sends. I don't see the point in trying to retroactively redefine the ways that lists work to try to shoehorn them into the limits of poorly desiged security add-on. See forgery for another example of the same newthink, in which the SPF crowd tried to persuade the world that SPF's failure to handle long established forwarding models was the fordwarders' fault. R's, John -- Ian Eiloart IT Services, University of Sussex 01273-873148 x3148 For new support requests, see http://www.sussex.ac.uk/its/help/ ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion
--On 30 April 2010 12:37:22 + John Levine jo...@iecc.com wrote: Then the recipient has some evidence to assist in his evaluation. In fact, the changes made by this list are easily reversible, if someone wants to try to reverse them and check the original signature. But he cannot do that with a signature that has been removed. Huh? If we could write down the changes that lists make to the mail they send, we would have done so. My list managers have been known to remove or reorder MIME parts and flatten HTML into text. I even run some quaint lists where the editor hand-edits the messages. No, those aren't illegitimate, they're standard practice and have been for decades. R's, John Perhaps they are, but there could be some value in trying to define a set of reversible list modifications which would permit DKIM signatures to still be useful. That's not to mandate those modifications, or to forbid others, but as guidance. It could be a way forward. -- Ian Eiloart IT Services, University of Sussex 01273-873148 x3148 For new support requests, see http://www.sussex.ac.uk/its/help/ ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion
On 04/30/2010 07:38 AM, McDowell, Brett wrote: On Apr 30, 2010, at 10:23 AM, Michael Thomas wrote: On 04/30/2010 07:05 AM, McDowell, Brett wrote: In that scenario, if the MLM re-signing solution has been deployed by Y, and DKIM+ADSP has been deployed by X Z, and Z has chosen to take action on X's ADSP policies... the only thing Z is trusting Y to do is validate incoming DKIM signatures, re-sign the messages with its own DKIM signature, and pass it along with the A-R results that convey what was done. Z is not trusting everything and anything that might ever come through Y. I think that's a reasonable level of trust to expect mailbox providers to have in mail lists who assert that they do this. Rogue mail lists will stop being trusted but only after they have lost the trust that was granted to them via their standards-based assertion (we would probably need to spec out how a MLM advertises that they indeed conduct flows in this manner) that they perform these functions on incoming mail. Again, I'm not saying this is the best or most elegant way of handling the problem of properly authenticated mail not being able to traverse mail lists, but it seems worthy of further discussion as an option. Yeahbut... there are zillions of mailing lists out there. How do you know the good ones from the bad ones? Keep in mind, of course, that bad guys can resign too, and they can easily make themselves look like a mailing list if that's something that gives them advantage. Indeed. But mailbox providers all have their own secret sauce for figuring out reputation of senders that I believe they could apply to this new flavor of sender -- meaning MLM's who adopt the MLM-DKIM spec we seem to be debating the virtues of developing -- without too much overhead. If the solution is some sort of (third party) reputation/whitelist, then there's really not much for us to do, right? I think we still need this spec I'm starting to refer to as MLM-DKIM to specify both the proper way of conducting this re-signing reporting practice and how the MLM advertises that they follow it. Even with your discardable adsp setting, it becomes a matter of the order of checks at the receiver's gate (eg, whitelist first, then adsp...) But since mailbox providers already manage reputation at scale, how much of a burden is adding this bit to the mix? Remember this only affects mailbox providers who have decided to do DKIM blocking based on ADSP discardable policies (for some, if not all senders). Let's put aside whether there's something new here for the moment (i've not had my coffee yet...). By all rights, we should not be having this conversation right now at all because you have set adsp discardable. So even if we adopted some bcp-like advise for mlm and receivers, it would be years if not forever before we could have a reliable conversation on this and other lists again. Maybe at paypal that's an acceptable tradeoff (?), but at my previous employer, all standards work, for one, would cease and there would be lots of engineers with pitchforks and torches. So what I'm getting at here is that I'm having a hard time understanding how the bootstrap doesn't fail for most sending/receiving entities. As I'm sure you know, false positives drive mail admins to complete distraction... which is the situation it looks to me that you're willing setting up. That said, you (paypal) are far braver than I am, but if you can make this to work somehow as a large enterprise that would be a pretty amazing accomplishment. Mike ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion
Perhaps they are, but there could be some value in trying to define a set of reversible list modifications which would permit DKIM signatures to still be useful. That's not to mandate those modifications, or to forbid others, but as guidance. It could be a way forward. Sounds like another job for ASRG. First you'd need to see if you could characterize a meaningful set of lists, not just the ones you and I happen to be subscribed to. R's, John ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Wrong Discussion - was Why mailing lists should strip DKIM signatures
On Fri, Apr 30, 2010 at 8:56 AM, Dave CROCKER d...@dcrocker.net wrote: I wrote: and forging the From address It's not forged: to imitate fraudulently http://dictionary.reference.com/browse/forge The use of that word, for this situation, is simply incorrect. And the retention of the original posting's From: string is quite simply valid. The fact that it is causing a problem for some add-on technologies does not, post hoc, render the string invalid. Perhaps poorly chosen words. But I think most understood the intent. I'm willing to go from a world where any system can use my From to one where only the systems I say can. And that means changes. -- Jeff Macdonald Ayer, MA ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Wrong Discussion - was Why mailing lists should strip DKIM signatures
-Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim- boun...@mipassoc.org] On Behalf Of Jeff Macdonald Sent: Friday, April 30, 2010 8:32 AM To: dcroc...@bbiw.net Cc: ietf-dkim@mipassoc.org Subject: Re: [ietf-dkim] Wrong Discussion - was Why mailing lists should strip DKIM signatures Perhaps poorly chosen words. But I think most understood the intent. I'm willing to go from a world where any system can use my From to one where only the systems I say can. And that means changes. It has been pointed out that MLM implementers have even more inertia than your average MTA implementer. Although many header fields have been invented specifically for the purpose of aiding list management (your List-Id: and List-Unsubscribe:, not to mention Sender:), their adoption has not exactly been universal. So you might be gung ho for big changes that will make things better, but we need to accept the fact that a substantial portion of the installed base won't change, at least not soon, and we can't ignore them. Any BCP we produce will have to take that into account. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Wrong Discussion - was Why mailing lists should strip DKIM signatures
On 04/30/2010 08:32 AM, Jeff Macdonald wrote: Perhaps poorly chosen words. But I think most understood the intent. I'm willing to go from a world where any system can use my From to one where only the systems I say can. And that means changes. Really? The sender has to opt in? That sounds like a lot of operational burden on the sender admins. To me that says that I'd need to get blessing from my mail admins to start posting to a new list/domain. Which is a pretty big change from the way things are now. And to my mind a little bit scary. Mike ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[ietf-dkim] besides mailing lists...
Is there anything out there that's not in the mistake or bogus category that would foil paypal's discardable adsp setting? Preferably that has the characteristic that it's out of their control. Mike ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Wrong Discussion - was Why mailing lists should strip DKIM signatures
On 4/30/2010 8:32 AM, Jeff Macdonald wrote: On Fri, Apr 30, 2010 at 8:56 AM, Dave CROCKERd...@dcrocker.net wrote: I wrote: and forging the From address It's not forged: ... The use of that word, for this situation, is simply incorrect. ... Perhaps poorly chosen words. But I think most understood the intent. Actually, most seem not to. They really believe the string is invalid or at least that its presence in that form is wrong. If we are doing serious technical work, we need to be serious in our use of terminology. Among the various terms that I regularly rant about, the long-standing mischaracterization of the From: string as forged is particularly egregious. And my rant is not at you. It's at the community, for having established the practise of using the term. I'm willing to go from a world where any system can use my From to one where only the systems I say can. And that means changes. That's an example of the problem in using the term: Much discussion about DKIM presume far more end-to-end control by authors or senders than they will ever have. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Wrong Discussion - was Why mailing lists should strip DKIM signatures
On Fri, Apr 30, 2010 at 12:15 PM, Dave CROCKER d...@dcrocker.net wrote: On 4/30/2010 8:32 AM, Jeff Macdonald wrote: On Fri, Apr 30, 2010 at 8:56 AM, Dave CROCKERd...@dcrocker.net wrote: I wrote: and forging the From address It's not forged: ... The use of that word, for this situation, is simply incorrect. ... Perhaps poorly chosen words. But I think most understood the intent. Actually, most seem not to. They really believe the string is invalid or at least that its presence in that form is wrong. If we are doing serious technical work, we need to be serious in our use of terminology. Among the various terms that I regularly rant about, the long-standing mischaracterization of the From: string as forged is particularly egregious. And my rant is not at you. It's at the community, for having established the practise of using the term. don't ever stop banging that drum. I'm willing to go from a world where any system can use my From to one where only the systems I say can. And that means changes. That's an example of the problem in using the term: Much discussion about DKIM presume far more end-to-end control by authors or senders than they will ever have. Murray, John, Dave and Mike: I apologize for going off on a tangent. I just keep asking myself what if. :) I like John's suggestion of taking Brett's ideas to ASRG. -- Jeff Macdonald Ayer, MA ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] besides mailing lists...
On Fri, Apr 30, 2010 at 11:57 AM, Michael Thomas m...@mtcc.com wrote: Is there anything out there that's not in the mistake or bogus category that would foil paypal's discardable adsp setting? Preferably that has the characteristic that it's out of their control. ESPs have a forward-to-a-friend feature for their clients. Its a feature in which the ESPs creates the content and sends a message from a friend, to a friend. It would be discarded. However, I'm willing to say this is a bogus practice. -- Jeff Macdonald Ayer, MA ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Wrong Discussion - was Why mailing lists should strip DKIM signatures
-Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim- boun...@mipassoc.org] On Behalf Of Dave CROCKER Sent: Friday, April 30, 2010 12:15 PM To: Jeff Macdonald Cc: dcroc...@bbiw.net; ietf-dkim@mipassoc.org Subject: Re: [ietf-dkim] Wrong Discussion - was Why mailing lists should strip DKIM signatures On 4/30/2010 8:32 AM, Jeff Macdonald wrote: On Fri, Apr 30, 2010 at 8:56 AM, Dave CROCKERd...@dcrocker.net wrote: I wrote: and forging the From address It's not forged: ... The use of that word, for this situation, is simply incorrect. ... Perhaps poorly chosen words. But I think most understood the intent. Actually, most seem not to. They really believe the string is invalid or at least that its presence in that form is wrong. If we are doing serious technical work, we need to be serious in our use of terminology. Among the various terms that I regularly rant about, the long-standing mischaracterization of the From: string as forged is particularly egregious. And my rant is not at you. It's at the community, for having established the practise of using the term. I seem to remember this discussion in the distant past and there overall people seemed to have less difficulty with the use of the term spoof or spoofing instead of forge or forging. If not this term then it would be appropriate to come to a consensus on a term that represents this practice. Mike ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] besides mailing lists...
On 04/30/2010 09:37 AM, Jeff Macdonald wrote: On Fri, Apr 30, 2010 at 11:57 AM, Michael Thomasm...@mtcc.com wrote: Is there anything out there that's not in the mistake or bogus category that would foil paypal's discardable adsp setting? Preferably that has the characteristic that it's out of their control. ESPs have a forward-to-a-friend feature for their clients. Its a feature in which the ESPs creates the content and sends a message from a friend, to a friend. It would be discarded. However, I'm willing to say this is a bogus practice. Oh yeah, the evite scenario. Maybe if we can collect these and categorize them into bogus/nice-to-have/essential it might be helpful. Mike ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] besides mailing lists...
-Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim- boun...@mipassoc.org] On Behalf Of Jeff Macdonald Sent: Friday, April 30, 2010 12:37 PM To: IETF-DKIM Subject: Re: [ietf-dkim] besides mailing lists... On Fri, Apr 30, 2010 at 11:57 AM, Michael Thomas m...@mtcc.com wrote: Is there anything out there that's not in the mistake or bogus category that would foil paypal's discardable adsp setting? Preferably that has the characteristic that it's out of their control. ESPs have a forward-to-a-friend feature for their clients. Its a feature in which the ESPs creates the content and sends a message from a friend, to a friend. It would be discarded. However, I'm willing to say this is a bogus practice. I suppose that other sites (some news sites for example...would have to look for one to find a concrete example) which use forward-to-a-friend where the site uses the from address of the individual. Mike ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] besides mailing lists...
On Fri, Apr 30, 2010 at 11:47 AM, MH Michael Hammer (5304) mham...@ag.com wrote: ESPs have a forward-to-a-friend feature for their clients. Its a feature in which the ESPs creates the content and sends a message from a friend, to a friend. It would be discarded. However, I'm willing to say this is a bogus practice. I suppose that other sites (some news sites for example...would have to look for one to find a concrete example) which use forward-to-a-friend where the site uses the from address of the individual. A scenario I had intended to implement here was F2F with the from address of the individual + third party DKIM signature. It's certainly something that clients ask for quite a bit. Regards, Al Iverson -- Al Iverson | Chicago, IL | (312) 725-0130 Anti-spam: dnsbl.com and spamresource.com @aliverson on twitter | www.baconrodeo.com ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] besides mailing lists...
On Fri, Apr 30, 2010 at 12:58 PM, Al Iverson aiver...@spamresource.com wrote: On Fri, Apr 30, 2010 at 11:47 AM, MH Michael Hammer (5304) mham...@ag.com wrote: ESPs have a forward-to-a-friend feature for their clients. Its a feature in which the ESPs creates the content and sends a message from a friend, to a friend. It would be discarded. However, I'm willing to say this is a bogus practice. I suppose that other sites (some news sites for example...would have to look for one to find a concrete example) which use forward-to-a-friend where the site uses the from address of the individual. A scenario I had intended to implement here was F2F with the from address of the individual + third party DKIM signature. It's certainly something that clients ask for quite a bit. Wouldn't help in paypal's case. -- Jeff Macdonald Ayer, MA ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Wrong Discussion - was Why mailing lists should strip DKIM signatures
On 4/30/2010 9:44 AM, MH Michael Hammer (5304) wrote: I seem to remember this discussion in the distant past and there overall people seemed to have less difficulty with the use of the term spoof or spoofing instead of forge or forging. If not this term then it would be appropriate to come to a consensus on a term that represents this practice. I applaud the effort in looking for a better term. Spoof probably isn't it, however: 1. a mocking imitation of someone or something, usually light and good-humored; lampoon or parody: The show was a spoof of college life. 2. a hoax; prank. http://dictionary.reference.com/browse/spoof If I had a strong choice to offer, I'd make it. Perhaps the place to start is to ask that we try to agree on a basic semantics statement that doesn't use the term, but could be taken as its definition. That is, what meaning are people trying to convey about this use or aspect of the From: field. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Wrong Discussion - was Why mailing lists should strip DKIM signatures
On 30/Apr/10 12:13, Ian Eiloart wrote: --On 28 April 2010 11:02:53 -0400 MH Michael Hammer (5304) mham...@ag.com wrote: 2) One possible recommendation to list managers is that if a message to the list is DKIM signed AND has an ADSP discardable policy AND the signature cannot be maintained intact then the list should bounce the message. +1 +1, an additional reason is that the author might have a clever DKIM configuration, but just forgot to add [ietf-dkim] in front of the subject of a new message. A bounce easily prompts for such correction. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Wrong Discussion - was Why mailing lists should strip DKIM signatures
On 4/30/10 8:48 AM, Michael Thomas wrote: On 04/30/2010 08:32 AM, Jeff Macdonald wrote: Perhaps poorly chosen words. But I think most understood the intent. I'm willing to go from a world where any system can use my From to one where only the systems I say can. And that means changes. Really? The sender has to opt in? That sounds like a lot of operational burden on the sender admins. To me that says that I'd need to get blessing from my mail admins to start posting to a new list/domain. Which is a pretty big change from the way things are now. And to my mind a little bit scary. Why not, when a sender authorization scheme can be unilaterally enacted in milliseconds with a simple request, either in the form of an email or a web-page. This would be a request to grant specific exceptions in the domain's discard-able or all policy by publishing a hash label. In the case of financial institutions, before taking such step, any authorized third-party should be audited. This would be easier to do with DKIM than with SPF because a server's range of permitted sources is not determined with a simple message probe. With DKIM, testing the handling of submissions from different accounts would offer reasonably assurance an authorization does not permit exploitations. By implementing a third-party authorization scheme with DKIM, tighter restrictions become possible with fewer messages lost. A DKIM authorization scheme would also put the burden of knowing who can be trusted to properly handle A-R headers and message bodies on to the senders seeking protections afforded by all or discard-able ADSP policy. -Doug ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Wrong Discussion - was Why mailing lists should strip DKIM signatures
I know this isn't a popular opinion. Just because something has been done someway for 40 years doesn't make it right. Thus my link to asbestos. Asbestos was always toxic to humans, but for whatever reason it took a long time to identify the problem. Is there some long-standing toxic effect of mailing lists other than that they don't fit the simple identity models used by recently devised authentication schemes? R's, John ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] what do mailing lists do, was list vs contributor
We need to be precise about what we mean by trustworthy. Even if I have some way to identify trustworthy lists as you put it above, I have to be very clear about what I'm actually trusting that list to do. When I sign up for a list, I trust it to send me mail that I am willing to receive. Is there any other understanding of mailing lists that people have? R's, John ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion
Even with your discardable adsp setting, it becomes a matter of the order of checks at the receiver's gate (eg, whitelist first, then adsp...) But since mailbox providers already manage reputation at scale, how much of a burden is adding this bit to the mix? Remember this only affects mailbox providers who have decided to do DKIM blocking based on ADSP discardable policies (for some, if not all senders). You appear to be asking recipients to distinguish among legit directly sent paypal transaction mail, legit paypal mail that comes through known-to-be-real mailing lists, and any other paypal mail that is presumably illegitimate. This is a huge burden, since you're asking every mail system in the world to distinguish between legit list mail and legit other mail, something they don't have to do if they just deliver mail which has a good reputation. Since you're describing two mailstreams, directly sent paypal transaction mail and list relayed individual mail, why wouldn't it be a better idea and less work (for everyone other than paypal at least), to separate those two streams so the recipients don't have to guess which messages belong to which ones? Free bonus: if you move the individual mail out of the transaction stream, if you are able to recognize list mail, you instantly know that any paypal.com mail arriving from a list has a problem. R's, John ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] besides mailing lists...
I suppose that other sites (some news sites for example...would have to look for one to find a concrete example) which use forward-to-a-friend where the site uses the from address of the individual. Try any newspaper web site that offers an email button. R's, John ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] what do mailing lists do, was list vs contributor
On 4/30/10 11:24 AM, John Levine wrote: We need to be precise about what we mean by trustworthy. Even if I have some way to identify trustworthy lists as you put it above, I have to be very clear about what I'm actually trusting that list to do. When I sign up for a list, I trust it to send me mail that I am willing to receive. Is there any other understanding of mailing lists that people have? Perhaps this concern should be viewed in how different email might be perceived. When people are mislead into believing you recommended some clever script, they might be tempted to give it a try. Just following a link could expose recipients to possible zero day exploits. This type of social engineering is ongoing, where theft of financial information has risen dramatically in the last two years. Exploits are regularly found in browser extensions like Adobe Flash, Acrobat, Java, and Active-X, where many are patched and reported in comparatively long periods after initial discoveries. Malware taking advantage of these exploits often becomes modified in less than six hours. Once a patch is published, it event is often followed by a flood of more malware, since it educates other writers. While you may not be concerned, think of financial institutions seeing people's accounts ransacked. Whether they use their transactional domain, or some lesser known one, the need for security does not really change. -Doug ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] what do mailing lists do, was list vs contributor
On Apr 30, 2010, at 2:24 PM, John Levine wrote: We need to be precise about what we mean by trustworthy. Even if I have some way to identify trustworthy lists as you put it above, I have to be very clear about what I'm actually trusting that list to do. When I sign up for a list, I trust it to send me mail that I am willing to receive. Is there any other understanding of mailing lists that people have? Did you read the rest of my message? ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion
On Apr 30, 2010, at 2:31 PM, John Levine wrote: Even with your discardable adsp setting, it becomes a matter of the order of checks at the receiver's gate (eg, whitelist first, then adsp...) But since mailbox providers already manage reputation at scale, how much of a burden is adding this bit to the mix? Remember this only affects mailbox providers who have decided to do DKIM blocking based on ADSP discardable policies (for some, if not all senders). You appear to be asking recipients to distinguish among legit directly sent paypal transaction mail, legit paypal mail that comes through known-to-be-real mailing lists, and any other paypal mail that is presumably illegitimate. Nope. I'm suggesting a means for enabling DKIM authenticated mail to survive transit through a mail list and arrive with the intent/purpose/value of the original authentication might be for MLM's to validate incoming mail and DKIM sign their own outbound mail along with the appropriate A-R data. That's all. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Wrong Discussion - was Why mailing lists should strip DKIM signatures
On Apr 30, 2010, at 1:38 PM, Alessandro Vesely wrote: On 30/Apr/10 12:13, Ian Eiloart wrote: --On 28 April 2010 11:02:53 -0400 MH Michael Hammer (5304) mham...@ag.com wrote: 2) One possible recommendation to list managers is that if a message to the list is DKIM signed AND has an ADSP discardable policy AND the signature cannot be maintained intact then the list should bounce the message. +1 +1, an additional reason is that the author might have a clever DKIM configuration, but just forgot to add [ietf-dkim] in front of the subject of a new message. A bounce easily prompts for such correction. So that's another vote for option #4 (per the previous post trying to summarize the various options). BTW, where is this mail list publicly archived? (Next time I'm referring to a previous message I'll just include the URL to the post.) ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Wrong Discussion - was Why mailing lists should strip DKIM signatures
On Apr 30, 2010, at 12:28 PM, Jeff Macdonald wrote: I'm willing to go from a world where any system can use my From to one where only the systems I say can. And that means changes. That's an example of the problem in using the term: Much discussion about DKIM presume far more end-to-end control by authors or senders than they will ever have. Murray, John, Dave and Mike: I apologize for going off on a tangent. I just keep asking myself what if. :) I like John's suggestion of taking Brett's ideas to ASRG. Those weren't my ideas. I haven't yet commented on the canonicalization topic. I lost track of who introduced that one. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Wrong Discussion - was Why mailing lists should strip DKIM signatures
On Apr 28, 2010, at 5:02 AM, MH Michael Hammer (5304) mham...@ag.com wrote: A few thoughts to fuel the discussion: 2) One possible recommendation to list managers is that if a message to the list is DKIM signed AND has an ADSP discardable policy AND the signature cannot be maintained intact then the list should bounce the message. Given that ADSP discardable is used to mark domains which send only email that the sender considers should never risk being modifed in any way - they only want it sent from their smarthost to the MX of the original reciient, with no forwarding or store and forward or rewriting, effectively - perhaps something more aggressive by mailing list managers is needed. If a mailing list were to simply reject all submissions from senders who are publishing ADSP discardable that would ensure that their wishes were not violated. And it seems to comply with the spirit of ADSP discardable more than the riskier suggestions. Cheers, Steve ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion
I don't think that's what I'm saying. Currently lists don't do much to authenticate senders. I don't think it's implausible that a recipient might have stricter rules than a list manager. It might be unusual, I suppose. I agree it's hypothetically possible, but have you ever seen an actual need for this in practice, a list where the recipients filter out messages that a more competently managed list would have rejected? R's, John ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] what do mailing lists do, was list vs contributor
We need to be precise about what we mean by trustworthy. Even if I have some way to identify trustworthy lists as you put it above, I have to be very clear about what I'm actually trusting that list to do. When I sign up for a list, I trust it to send me mail that I am willing to receive. Is there any other understanding of mailing lists that people have? Did you read the rest of my message? Yes. I didn't say anything about doing extra work to try to deal with mail from senders that mix transactional and individual mail in the same mailstream, since lists have never done that. R's, John R's, John ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html