[ietf-dkim] Resigner Support of RFC 5617 (ADSP)
Doug Otis
doug.mtview at gmail.com
Mon Oct 12 09:42:26 PDT 2009
On 10/12/09 7:04 AM, Wietse Venema wrote:
> Michael Deutschmann:
>> If this is indeed the official semantics of the protocol, then I would
>> petition to add a "dkim=except-mlist" policy. Which means "I sign
>> everything that leaves my bailiwick, but may post to signature-breaking
>> MLs."
>
> Are you going to announce all your users mailing list subscriptions
> in the policy record? If you do, that could be a privacy problem.
When a domain of a mailing list is publicly known, often so are the
lists themselves. The tpa-label approach will not indicate which
specific list is used, only that a domain is authorized to act on behalf
of the Author Domain. When some non-public domain is being used by a
mailing list, then the tpa-label itself would not be immediately apparent.
> If you don't, then the spammer can add any mailing list header to
> the message, and they can drive their truck through this hole.
Agreed. Which is why it makes sense to have Author Domains indicate to
their recipients the specific domains being used to originate messages
carrying their Author Domain. Perhaps it might become common to have an
Intra-net web page where users request specific mailing-lists to be
included in the auto-generated tpa-label list.
Part of the concepts behind the tpa-label approach was to provide a
means to authorize sources for the domain's messages by-name as a means
to help limit the sources that might generate abuse feedback reports.
Rather than checking with some reputation service, what better source
would there be than checking with Author Domain themselves?
-Doug
More information about the ietf-dkim
mailing list