[ietf-dkim] list vs contributor signatures, was Wrong Discussion

[Charles Lindsey]

On Fri, 30 Apr 2010 08:25:31 +0100, Douglas Otis <dotis at mail-abuse.org>  
wrote:

> On 4/29/10 6:06 PM, John Levine wrote:
>
>>  I just don't see how you can simultaneously say "throw away unsigned
>>  mail" and "don't throw away unsigned mail if a list says it used to
>>  be signed" unless you have some way to identify trustworthy lists.
>
> Agreed.  People might trust authentications of a From domain based upon
> valid Author Signatures, but they should not trust From domains based
> upon A-R header indications of previous Author Signatures without
> knowing how the A-R headers were processed.  Any assumption of proper
> processing would permit simple exploits and invite abuse.  Those most
> interested in determining proper A-R header processing by third-parties
> would be those with an interest in protecting their recipients, such as
> financial institutions.

Which is why A-R headers need to be signed by whoever created them Then at  
least you know where they came from and can adjust you policies  
accordingly.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5