[ietf-dkim] Re: ISSUE: Better definition of "DKIM
signing complete" required
chl at clerew.man.ac.uk
Mon Nov 27 03:57:54 PST 2006
On Sun, 26 Nov 2006 21:37:37 -0000, Hector Santos <hsantos at santronics.com>
> We must work on the basis that a DOMAIN may want to use DKIM in a highly
> exclusive, bar none, 1 to 1 communications environment only. That is
> the highest protection DKIM an offer. We can't ignore this.
> After that, it gets relaxed and murky as to how to keep this DKIM
> security intact with various relaxed conditions. But we must satisfy
> the ideal condition and that is the strong and/or exclusive SSP policy.
> At this point, we then look at new features to support the DKIM LS
> implementation such as:
AFAICS, a List Expander has the following options:
1. Ignore DKIM. Pretend it doesn't exist.
The result of that is that list members (or their ISPs) will start
regarding some messages with "suspicion", and maybe drop them. List
members wll not be pleased.
2. Refuse to subscribe (as contributors) sites with exclusive SSP policies.
Will work, but will piss off people from such domains who want to
3. Manage the list so that signatures still work after passing through.
I.e. don't change 'critical' headers, don't add stuff at the end of
4. Resign all messages yourself.
Essentially, you are saying "I realise I may have broken the existing
signature, but I assure you I verified the original signature and checked
that it complied with the sender's SSP, and my new signature encompasses
an X-verified header I added to testify to those checks. Trust me! I am a
And then you hope that your reputation is good enough that your highly
suspicious recipients will indeed believe that you are a "Good Guy".
So, is that a good summary of strategies that have been discussed on this
list, or are there others? And are they good enough (#4 seems the best
approach to be, or maybe #3 and #4 together)?
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Email: chl at clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
More information about the ietf-dkim