[ietf-dkim] Re: DKIM and mailing lists
hsantos at santronics.com
Sat Jan 21 07:00:07 PST 2006
From: "Frank Ellermann" <nobody at xyzzy.claranet.de>
> So far it was my impression that DKIM tries to establish some
> accountability as near to the "originator" as possible. As a
> simple rule that's "if it already has a valid signature, don't
> touch it".
As an author of a list server, I prefer to STRIP the signature when
allowed to avoid tampering with the many options already offered to the
>From the point of view of the message author, the signed message sent to
the list agent has already reached it final destination and has
accomplished its goal of a secured transaction. At this point, the list
owner takes over.
What that means that in order to be consistent with the SSP protocol, it
should only be abled to do this for:
NONE (no policy)
o=? WEAK (signature optional, no third party)
o=~ NEUTRAL (signature optional, 3rd party allowed)
The LS server will:
NONE, do not sign message
WEAK, strip, do not sign
NEUTRAL, if any strip/replace if he wants to resign it.
This is the only way the protocol integrity will be maintained when the
submitted message is expanded and distributed to downlink DKIM
> Fortunately there's no such thing as "sign some - third party
> never" in SSP, so at least for unsigned mails the situation is
> clear for DKIM-aware lists.
What about the WEAK (o=?) policy?
I am operating under the assumption that people's input, including Arvel
Hathcock who suggested the WEAK policy are taken seriously and will be
added the updated DRAFT SSP.
Hector Santos, Santronics Software, Inc.
More information about the ietf-dkim