[ietf-dkim] Re: Attempted summary
MarkD+dkim at yahoo-inc.com
Tue Jan 24 07:40:35 PST 2006
On Tue, Jan 24, 2006 at 10:09:40AM -0500, Wietse Venema allegedly wrote:
> What is not clear to me is the benefit of a mailing list signature
> that is required to vouch for the authenticity of someone elses
> FROM: address. I see this as a source of confusion with both users
> and designers, and believe that this is a level of assurance that
> not every mailing list or other forwarder can provide.
That raises a question about assumptions. Is the fact that a List
signature includes "whatever was in the From: " actually vouching for
the authenticity of that address, or is it merely vouching for the
fact that this is the content it received?
The former - I call transitory trust - worries me conceptually. The
latter seems safer and simpler.
> I am concerned that the FROM: address is becoming a conceptual
> bottle neck, and would like to see a solution that allows mailing
> lists and other forwarders to sign mail ("as I forwarded this")
> without implied claims about the authenticity of the FROM: address.
> That is, the possibility of a mailing list etc. DKIM signature that
> just authenticates the list or forwarder.
That's how I was viewing a List signature. It was making no claims
about the original submission apart from "these are the bits as they
arrived at the List address". If some final list recipient sees value
in the original bits, good luck to them.
> If the original submission has a DKIM signature then of course that
> is great. If it doesn't, then we don't know that the mail came from
> that address, period. But if it has a valid list/forwarder signature,
> that can still be used to enable reputation based systems.
More information about the ietf-dkim