[Mailman-Developers] dkim-signature headers

Michael Thomas mat at cisco.com
Mon Feb 5 23:10:10 CET 2007 

Stephen J. Turnbull wrote:
> Michael Thomas writes:
>
>  > I'm afraid that intransigence from the mailing list community is
>  > likely to really backfire. Mailing list traffic is an extremely
>  > small percentage of traffic, and most admins are likely to just
>  > ignore the collateral damage if it's too much a nuisance.
>
> We know.  Mailing lists have always been vulnerable to such collateral
> damage by their very nature as bulk transports.
>
>  > Don't get me wrong: I spend far too much of my day on mailing lists
>  > and would really like things to work out. But hard line positions
>  > in the face of thorny engineering tradeoffs doesn't help.
>
> First, I don't speak for the Mailman community.  I fully expect that
> the Mailman developers will recognize that they have no choice but to
> provide DKIM-friendliness options.
>
> Second, you can call me hardline if you like, 
I'm not calling anybody hardline; I'm just saying that there is a rather
unpleasant set of engineering tradeoffs for security and functionality
that need to be sorted out. Some of these tradeoffs are not especially
new considering that  many apply to PGP and S/MIME too. What is
different here is that DKIM is likely to scale up -- already Y!, Gmail
sign billions of piece of email a day, and this is likely to really ramp
up once dkim has a bright and shiny rfc # (it's just waiting to get through
the IESG right now). So all of those things that are a theoretical problem
with S/MIME and PGP will likely be a real problem with DKIM.
 
> but you're advocating
> that we abandon RFC 2822's From-is-not-Sender semantics.  You're
> advocating that the legitimate editorial role currently performed by
> many mailing lists (analogous to the Editor reflowing lines and fixing
> typos in letters submitted for the Op-Ed page) be reduced to mere
> relaying.  This is pretty radical stuff, if you ask me.
>   

Let's be clear that I'm advocating a dialog here, not any particular 
solution and
I'm hoping that we can  come up with some finesse. The problem is that
what you consider a legitimate editorial role presupposes a trust 
relationship
with the editor. But that's a rather hard problem given the scale of 
email -- and
spew -- that MTA's and MUA's are having to deal with these days. I used to
know what senders I trusted 10 years ago; today absent cryptographic proof
of identity, it's just about anybody's guess. And my poor MTA's are even 
more
clueless still.
> The fact that you talk about the serious damage being done by mailing
> lists removing signatures leads me to wonder what was happening to
> unsigned posts on those mailing lists before they upgraded to a recent
> Mailman.  
We weren't expecting there to be signature before, so there wasn't
any damage. Since we sign just about everything now, we do have
an expectation that there are signatures there and are planning to take
advantage of that to alert users when a signature is missing/broken.
Note from where I sit, it seems that mailman upgrade cycles seem to
be pretty slow in the field -- it's a small minority of the list traffic 
that
seems to be using the new dkim-stripping upgrade.

> And the fact that you completely ignore the existing trust
> relationship that mailing lists have with their members in discussing
> third party signatures makes me wonder how carefully you and your
> colleagues have really thought about mailing lists.  (Especially since
> that trust relationship has been explicitly pointed out!)
>   
Mailing list members are not automatons dealing with the vast open sewer
of email. Those automatons currently have absolutely no clue who their
users do and don't have trust relationships with, and it's no easy chore to
come by it even if you are so inclined -- which I suspect most admins will
not be.

> So I just don't see an existing best practice here.  I see an attempt
> to develop an extension to an existing draft based purely on theory,
> and theory not really grounded in current practice, to boot.  I worry
> that an attempt to make Mailman conform to DKIM rather than write
> list-friendly wording into the standard will cause the collateral
> damage to be set in stone.
>   
In fact, the draft has been happily humming alone with current lists
for quite some time. In any case, if you have some ideas about what
list friendly wording is, I'd be happy to hear it. The matter of the DKIM
BCP is still in its infancy.

       Mike

More information about the Mailman-Developers mailing list