[ietf-dkim] Concerns about DKIM and mailiing lists, etc.
mike at mtcc.com
Thu Mar 16 09:17:12 PST 2006
Dave Crocker wrote:
>> That is flat out wrong. We are right at this moment rolling out our
>> implementation of DKIM at Cisco. We have no local database. We are
>> getting utility our of DKIM by insuring our users to some degree
>> that the From address/domain that they see can or cannot be trusted to
>> the degree that DKIM makes that trustworthy. Y! and now Gmail from
>> what I hear are doing the same.
> It sounds as if you are imparting more requirements on the phrase "some
> database" than the term has on its own.
> You just described a database of one entry, with a very specific
> *additional* semantic. This a) requires listing the domain name(s) to
> be assigned the semantic, and b) the semantic that goes with this. This
> all goes far beyond the DKIM base specification.
You've deleted the key word: "local". We have no local database.
We're just using the SSP semantics as defined today. There are
no "additional semantics"; they just the semantics of SSP.
>>> And, as I've raised many times, I do not understand the compulsion to
>>> preserve a signature for a message that is re-posted by an automaton
>>> user agent, when there is no equivalent expectation of preservation,
>>> for a message that is manually re-posted -- such as when I forward a
>>> message on to someone else. The architectural role is the same. The
>>> semantics are the same.
>> This is flat out wrong too. When you forward, you change the From:
>> address. Mailing lists do not. Therein lies the problem: they are
>> indistinguishable from random spoofers.
> You have confused some details that are different -- some of the time --
> with DKIM requirements. Worst is that those requirements are not in the
> base specification.
I can see that you're equivocating about "base". I've never claimed
that it was -base alone. It's -base in conjunction with -ssp. And
you still haven't refuted my point. Both you and John would do well
to actually get some real-life experience here.
> With respect to the point that I was making, there seems to be no
> concern whether manual re-posting breaks a signature, but a great deal
> of concern when that re-posting is by a user-level automaton.
It has _nothing_ to do with humans and automatons. It has
to do with the purported From: address; mailing lists that
mangle messages are indistinguishable from any miscreant that might
want to spoof your From: address, human or otherwise. I don't
know how to make this more clear, but I'm not sure that it
matters since actual experience seems to count for little to
More information about the ietf-dkim