[Mailman-Developers] dkim and email list software
Daniel Black
daniel at cacert.org
Sat Oct 10 04:29:14 CEST 2009
Hey Stephen and others,
On Friday 09 October 2009 22:55:22 Stephen J. Turnbull wrote:
> > Apart from the assertions of mailing list software developers I'm
> > yet to receive a strong assertion from list operators or
> > users.
>
> Er, do you think we write open source purely out of charity? We are
> all operators and users ourselves.
quite right. sorry.
> (Non-developer) users and list
> operators? See
> http://wiki.list.org/display/DOC/From+field+displayed+by+Microsoft+Outlook
> for what they think of the kind of display the munging you suggest
> produces. (The point is it's a FAQ; they *do not* like it.) And can
> you imagine what that will look like when combined with the munging
> you suggest Mailman do to fake out ADSP?
good point. Though seeing it suggests that maybe ADSP could cover Sender: and
at least some users with MUA's that display things a little ugly could tell
the difference between a spoofed email on a mailing list they subscribe to.
> > Even less forthcoming is the reasons the lack of acceptability that
> > could guide standards or implementations.
>
> 1. Spoofing authorship is what the phishers and the spammers do.
> We're the good guys, remember? Note that the name of the standard
> you are trying to promote here is *Author* Domain Signing Policy.
> What that means is that the list's domain is claiming authorship
> of the post. This is problematic in any number of ways.
>
> 2. Authorship information is lost, or at best obscured. You point
> out that most MUAs don't present List-* headers.
which I'm working on btw http://reviewboard.kde.org/r/1768/
> Well, they don't
> present Sender or In-Reply-To either (except for Outlook).
do you think MUAs should show Sender and/or Reply-To?
if so would making mailman set these to the list address be acceptable for
users?
> You're
> either in the From header, or the users don't know about it.
>
> 3. Sophisticated users filter on From. This breaks the filters
> bigtime once, and makes them more fragile forever after.
>
> 4. It's ugly.
Thank you for verbalising these four reasons. I accept all of these as reasons
for not changing the From address and are unlikey to mention it again.
> > there's a development cost that I'll consider contributing to but I'm
> > not going to develop stuff that has no change of being accepted.
> > I will consider writing patches for:
> > 1. global dkim-friendly= true to disable list modifications parameters
> > 2. From: rewriting
>
> 1. dkim-friendly is CAN-SPAM unfriendly. Specifically, best practice
> (and maybe the law AIUI) requires you to put an unsubscribe notice
> in somewhere. As you point out, the List-Unsubscribe header just
> won't do....
This can probably be accounted for by DKIM l= tags (the signed length is..) on
the sender's behalf and still allow additions of unsubscribe notices. If I
account for this provision would it be considerable?
(cut other information that I generally accept - thank you)
> > A proposal for author domains to authorize third party lists is in
> > development. http://mipassoc.org/pipermail/ietf-dkim/2009q4/012592.html
> >
> > It does place a large burden on author domains to deploy DNS records
> > pre- presenting every list their user base send email too.
>
> So it certainly loses in my use case: I run support lists. I really
> don't think someone whose editor has crashed and wants to know if they
> can recover the data they were editing is going to wait for IT to
> deploy DNS records before posting.
true, though automated techniques may help http://tools.ietf.org/html/draft-
kucherawy-dkim-reporting-05. I'll ask Murray about the future here.
I'm a lot more included to support your LDSP proposal scoped with security
concerns addressing forgery and reputation and/or a sender domain signing
practices document.
> > > The only real problem with this is getting the big ISPs to implement,
> > > but that's nothing new. In fact if it's as easy as adding routines to
> > > process the RFC 2369 + RFC 2919 set of headers "just like" ADSP
> > > handles "From:", I bet most would be happy to sign on.
> >
> > So this is for mailing list that send though big ISPs that can't
> > apply their own DKIM signatures? Not totally sure what you mean
> > here though signing is the easy part compared to applying filtering
> > on verification results.
>
> No, my mailing lists, and those like them, can deploy signatures and
> DNS easily enough. The question about the big ISPs is will they
> bother to do something to make things more comfortable for discussion
> lists.
Is this a matter of:
1. technology standardisation - (LDSP, DKIM Third-Party Authorization Label,
Sender DSP)
2. deployment practice standardisation - http://tools.ietf.org/html/draft-
ietf-dkim-deployment-08#section-6.3
3. deployment promotion - inclusion in, for example, mailman installation
manual / site administrator documentation
4. ensuring DKIM verification tools development supports this.
5. some marketing / guides for ISPs with respect to DKIM
There are other's battling in consideration of mailing lists (and are more
sensible than me).
http://mipassoc.org/pipermail/ietf-dkim/2009q4/012596.html
Many would love to have your involvement there if you're interested.
--
Daniel Black
Infrastructure Administrator
CAcert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20091010/6414bce3/attachment-0001.pgp>
More information about the Mailman-Developers
mailing list