[ietf-dkim] Concerns about DKIM and mailiing lists, etc.

Michael Thomas mike at mtcc.com
Thu Mar 16 09:17:12 PST 2006 

Dave Crocker wrote:
>> That is flat out wrong. We are right at this moment rolling out our
>> implementation of DKIM at Cisco. We have no local database. We are
>> getting utility our of DKIM by insuring our users to some degree
>> that the From address/domain that they see can or cannot be trusted to
>> the degree that DKIM makes that trustworthy. Y! and now Gmail from
>> what I hear are doing the same.
> 
> It sounds as if you are imparting more requirements on the phrase "some 
> database" than the term has on its own.
> 
> You just described a database of one entry, with a very specific 
> *additional* semantic.  This a) requires listing the domain name(s) to 
> be assigned the semantic, and b) the semantic that goes with this.  This 
> all goes far beyond the DKIM base specification.

You've deleted the key word: "local". We have no local database.
We're just using the SSP semantics as defined today. There are
no "additional semantics"; they just the semantics of SSP.

>>> And, as I've raised many times, I do not understand the compulsion to 
>>> preserve a signature for a message that is re-posted by an automaton 
>>> user agent, when there is no equivalent expectation of preservation, 
>>> for a message that is manually re-posted -- such as when I forward a 
>>> message on to someone else.  The architectural role is the same.  The 
>>> semantics are the same.
>>
>>
>> This is flat out wrong too. When you forward, you change the From:
>> address. Mailing lists do not. Therein lies the problem: they are
>> indistinguishable from random spoofers.
> 
> You have confused some details that are different -- some of the time -- 
> with DKIM requirements. Worst is that those requirements are not in the 
> base specification.

I can see that you're equivocating about "base". I've never claimed
that it was -base alone. It's -base in conjunction with -ssp. And
you still haven't refuted my point. Both you and John would do well
to actually get some real-life experience here.

> With respect to the point that I was making, there seems to be no 
> concern whether manual re-posting breaks a signature, but a great deal 
> of concern when that re-posting is by a user-level automaton.

It has _nothing_ to do with humans and automatons. It has
to do with the purported From: address; mailing lists that
mangle messages are indistinguishable from any miscreant that might
want to spoof your From: address, human or otherwise. I don't
know how to make this more clear, but I'm not sure that it
matters since actual experience seems to count for little to
you.

		Mike

More information about the ietf-dkim mailing list