[ietf-dkim] list vs contributor signatures, was Wrong Discussion

[John R. Levine]

>> No, all it says is "we signed this mail."  A signer with a good
>> reputation will presumably rarely sign mail where the From: address
>> actively misidentifies the sender, but that's a second order effect.
>
> Right, and because the domain owner has signed the email, they can be held 
> responsible for abuse. At least, to a greater extent than when the mail 
> hasn't touched any system that they have any control over.

It is certainly reasonable to say that the signer has a good reputation, 
so we will accept his mail.  But that's different from saying that the 
signer has a good reputation, so the From: address must be "real".

>> Once again, this sounds like a solution searching for a problem.  I've
>> done the occasional bozofiltering in mailing lists, but because the
>> people were bozos, not spammers.
>
> The problem is reputation assignment. Different recipients (of mail from the 
> same list) will have different views of the sender's reputation.
>
> But, the problem is real, and recognised. Mailing lists break signatures.

It is certainly a fact that mailing lists break signatures.  But there are 
differences of opinion whether it's a problem.  Although I've seen plenty 
of assertions that it's a problem, we're a bit thin with real life as 
opposed to hypothetical scenarios where the broken signature leads to bad 
results.

The only one I've seen so far is the ADSP+list -> lost or rejected mail. 
I would say that is misuse of ADSP, not a list problem, since we were 
quite aware of it and in Appendix B of RFC 5617 we say not to do that.

R's,
John