[ietf-dkim] draft-ietf-dkim-mailinglists annex MUA considerations
daniel.subs at internode.on.net
Mon Aug 16 16:38:52 PDT 2010
On Monday 16 August 2010 20:25:16 Charles Lindsey wrote:
> On Sun, 15 Aug 2010 04:50:13 +0100, Daniel Black
> <daniel.subs at internode.on.net> wrote:
> > If users are to place value in From headers as MUAs display and ADSP
> > tries to
> > enforce then manguling From headers is adds complexity to the
> > interpretion of
> > the header field by to the end user.
> If the original was
> From: Joe Doe <joe at discardable.example>
> and a recipient sees it as
> From: Joe Doe <joe%discardable.example at mlm.example>
> then he will still have a pretty clear idea that it originated from Joe
> Doe, and may even be able to correctly guess Joe's original email address
> even if he is unfamiliar with the percent-hack.
I'm trying to get the same goal by recommending adding some non-artisicly
specified form of a "list: mlm.example" display so its more evident to the
user without percentage hacks. Current users are left out but a clearer
interpration in the future is the tradeoff in values I'm making.
> > ANNEX A - MUA Considerations
> > A MUA could implement the following features to reduce the need for
> > signature
> > modifications:
> > * Display of the List-ID header field is used to be displayed beside
> > where a
> > subject header field is displayed.
> > * functionality to create a filter based on based on the List-ID header
> > field.
> I agree it would be a Good Thing if MUAs routinely displayed some of the
> List-* headers as a default feature.
> But you seem to be suggesting that an MUA should be setup to accept
> mesages with a List-Id plus a valid signature from the MLM, even from a
> discardable origin.
good point. Should verifiers and MUAs do this check? I was hoping MUAs would
only need to parse Authenticated-Results rather than full DKIM/ADSP so a MUA
doing ADSP lookups would enter into an offline/online MUA discussions as
Hector mentioned and talks about the validity period of a DNS records.
> Ignoring the fact that such emails may be already discarded by some
> boundary agent, that is still an open invitation to every Phisher to add a
> List-ID from some bogus list to every message he sends, and to add a valid
> signature from that bogus list (and perhaps even a deliberately invalid
> signature from the phished domain).
> Somehow, MUAs need to be aware of which lists the user is subscribed to if
> they are going to do that sort of thing.
Good idea. I'll try to word that in for the next rewrite. Alternately a MUA
maintains good/bad/indifferent third party signature lists and varies the
display for this.
Thanks for the review Charles.
More information about the ietf-dkim