[ietf-dkim] list vs contributor signatures, was Wrong Discussion
iane at sussex.ac.uk
Mon May 10 05:03:43 PDT 2010
--On 7 May 2010 13:07:34 -0400 "John R. Levine" <johnl at iecc.com> wrote:
>>> I believe it. Are you saying the list managers make no effort to keep
>>> the spam out of their lists?
>> No, but I don't think it's their job. As the site manager, that's my job
>> in general. What the list managers can add is access controls, and
>> authentication helps to improve the utility of such controls.
> Oh, we agree there, I wasn't distinguishing between the list and site
> manager, since at small sites they're often the same person.
>>> contributors, but DKIM doesn't help there since DKIM most definitely
>>> never says that the From: address is "real".
>> "real"? A signature from the sender domain at least says that if it's
>> not real, that's the responsibility of the sender domain owner, doesn't
> No, all it says is "we signed this mail." A signer with a good
> reputation will presumably rarely sign mail where the From: address
> actively misidentifies the sender, but that's a second order effect.
Right, and because the domain owner has signed the email, they can be held
responsible for abuse. At least, to a greater extent than when the mail
hasn't touched any system that they have any control over.
>> the end recipient may have a very different view of the reputation of
>> the sender than does the list. Or, it may wish to use the message
>> content to modify its reputation score for the sender.
> Once again, this sounds like a solution searching for a problem. I've
> done the occasional bozofiltering in mailing lists, but because the
> people were bozos, not spammers.
The problem is reputation assignment. Different recipients (of mail from
the same list) will have different views of the sender's reputation.
But, the problem is real, and recognised. Mailing lists break signatures.
>>> If you want strong sender authentication, we already have S/MIME, and I
>>> wouldn't be surprised if there were list software that could use it.
IT Services, University of Sussex
For new support requests, see http://www.sussex.ac.uk/its/help/
More information about the ietf-dkim