[Mailman-Developers] dkim-signature headers

Michael Thomas mat at cisco.com
Thu Feb 8 22:26:59 CET 2007 

Barry Warsaw wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Excellent post Steve, thanks.
>
> I think we're converging on a solution for Mailman both in the short 
> term and in the long term.  See my previously posted wiki link for my 
> current thoughts on the matter.  I just wanted to add one other thing...
>
> On Feb 8, 2007, at 12:41 AM, Stephen J. Turnbull wrote:
>
>> "From == signing domain".  Just generalize that to include
>> "List-Id == signing domain" in the policy agent software!  And
>> "Sender == signing domain".
>
> I definitely agree that "List-ID == signing domain" should be added 
> for interoperability with mailing lists.  I'm not sure about Sender, 
> only because Mailman's addition of Sender itself is not without some 
> controversy (mostly over interpretation of RFC 2822 language IIRC).  
> But there's no doubt that well-behaved mailing lists should include 
> List-ID, so that makes a natural header to sign.  See my discussion in 
> the wiki page for situations where we might /not/ want to sign List-ID 
> though.

I wouldn't get all hung up about what you're signing "for", per se. The
right thing to do for a mailing list signature that, say, adds both ListId
and Sender would be to:

h=From:ListId:Sender:[all of the other headers like mime stuff, etc]

and

i=mailing at list.org

Note that the i= is the way to assert which address if any you want to
take responsibility, which in the mailing list case is the ListID or Sender.
It is definitely not harmful to sign things like From too, and you 
definitely
should do that (I believe it's a MUST anyway). The only trickiness is that
you shouldn't sign things like Sender or ListID if they are empty and it's
acceptable for them to be modified in flight (ie, by a mailing list)... that
probably doesn't affect you unless there are signatures where you add
ListID but don't add Sender or something like that.
>
> Michael, since you're a DKIM spec insider, can you please relay this 
> discussion to that community (if you agree with us of course!).  We're 
> making a good faith effort to do our part, and I'd like to see the 
> DKIM specs acknowledge the mailing list use case more strongly.
I'm not entirely sure what I'm being asked to do -- did you have 
anything in
particular you want me to relay? I remember the part of wanting to have
better guidance, but did I miss anything else? I will forward on your wiki
entry though...

       Mike

More information about the Mailman-Developers mailing list