Re: DMARC: perspectives from a listadmin of large open-source lists

[Miles Fidelman <mfidelman@meetinghouse.net>]

John R. Levine wrote:
>> want to allow modification of the subject field (e.g., adding a tag)
>> and/or the body (e.g., adding header and footer) - then you might have
>> to be a little cleverer, perhaps by providing information about the
>> diffs in extra headers and doing a few comparisons at the receiving end
>> (subject tag = *****<original-signed-subject>).
>
> That's unlikely to be a productive direction to go.  We had a lot of 
> arguments about message modification when we were designing the DKIM 
> strict and loose message digests.  We never found a way to allow 
> subject tags that wouldn't also enable all sorts of abuse, and I don't 
> think we missed anything.
>
> The reasonable way to use DKIM with mailing lists has always been for
> the list to add its own signature, and to use the list signatures to
> develop a (presumably good) reputation for the list so its mail gets
> delivered.  See the signatures on the messages from this list for an
> example.

I was thinking about combining:
- two signatures: at origination, by the list manager
- adding an additional header, along the lines of "original-subject"
- allowing for:
-- not breaking validation of the originating signature
-- adding tags to the subject line (and copying the original subject to 
original-subject)
-- adding a new signature at the mailing list
-- validating the original signature at receipt (just using the 
original-subject header in place of the tagged subject line)
-- doing a diff on the two subject lines to validate that the only thing 
added was a text tag before the original subject

Doesn't address the non-aligned From: header issue, but does reduce one 
impact.



-- 
In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra