[Mailman-Developers] Thinking about list footers

[Stephen J. Turnbull]

Richard Damon writes:

 > There are some domains (like banks but NOT Yahoo and AOL) whose email is
 > important to verify identity of sender, who should have some form of
 > certificate that shows they have been verified by a trusted 3rd party
 > (like Https certs). The 3rd party verification keeps phishers from using
 > minor misspellings to fake these domains.

This is what some banks do, already (poor man's version).  They send
you mail, you click on a link that takes you to the bank's secure site
which authenticates itself to you (usually via some secret you have
chosen for your account, as well as verifying the site via X.500
certificate over HTTPS).  Having confirmed it is your bank's site, you
log in.

 > For other domains, perhaps an SPF like method on a per mailbox basis
 > (this could be used by Yahoo and the like). A person joins a mailing
 > list, the list send a request to a mailbox indicated to get added as an
 > authorized sender, (which then somehow verifies with the user). Receiver
 > gets an email from an unspecified source, mark it as suspicious or block
 > it totally. This would impact programs like mailman, as if the user
 > domain uses such a protection, another step needs to be added to the
 > subscription process to get the user authorized to send to the
 > list.

If I understand you correctly, we actually already have the mechanics
for this in place.  Most sites like Yahoo! allow you to whitelist a
sender.  This could be extended to allow whitelisting based on the RFC
2369 List-Post field (simple to implement but requires subscriber
action if the List-Post address changes) or the RFC 2919 List-Id field
(complicated because it doesn't correspond directly to any domain,
you'd need some kind of DNS support which would be a bad idea to
special case lists).

Then just DKIM sign, and have the destination check for List-Post (not
from) identity alignment.  Not as much trouble as you suggest.

Murray, is there something here?