[ietf-dkim] Re: Attempted summary
fenton at cisco.com
Mon Jan 23 23:23:15 PST 2006
John Levine wrote:
>> Signing the From: header is currently required, but suppose it weren't:
> Then bad guys can take list messages and resend them with forged
> return addresses and still have a valid signature. Does anyone think
> this is a good idea?
Since this was quoted out of context, let me emphasize that my "suppose
it weren't" was just a hypothetical for answering Wietese's question. I
firmly believe that the From header MUST always be signed.
> I think the way we all expect to use DKIM is that a message comes in,
> we check the signature, then we look up the signing domain in some
> sort of reputation system, be it a local whitelist or something
> fancier, then if the reputation is good we accept the mail, if it's
> bad we reject it, and if there's no reputation, we fall back and do
> what we would have done otherwise.
> With this model, I have a lot of trouble envisioning a scenario where
> I would want list mail signed by anything other than the list. If
> there is old list software that doesn't sign and it happens to pass
> signed messages, fine, but if the list software is DKIM aware at all,
> I want it to sign so I can recognize list mail.
If the list does sufficient damage to the message that any incoming
signature is invalid, it might as well throw away the original
signature. If it's still there, someone is likely to waste time trying
to verify it. OTOH, if a list doesn't do that much, maybe only adds a
List-ID and similar header fields, I would be inclined to keep the
original signature. I don't like to throw away things that may be
valid. This attitude is also reflected in the state of my attic.
More information about the ietf-dkim