[Mailman-Developers] MIME footers

Murray S. Kucherawy superuser at gmail.com
Fri Feb 27 20:46:40 CET 2015 

On Tue, Feb 24, 2015 at 2:08 PM, Daniel Kahn Gillmor <dkg at fifthhorseman.net>
wrote:

> > Equally important: What would it do to sign a message that's not MIME
> > to begin with?  Could it be compelled to turn it into a MIME message,
> > perhaps treating the original as a single-part text/plain message and
> > doing the same wrapping I described?
>
> Mailman doesn't usually sign messages.  What kind of signatures are you
> asking about?
>

Sorry, by "sign" I meant "add a footer".  I probably said "sign" because
this is related to some DKIM work I've been planning, and the morning's
caffeine was already wearing off.

Thanks for that detailed answer (and Barry for his followup).  It's
precisely what I was looking for.

How absurd would it be to propose a flag for Mailman that would take your
first case (non-MIME, or single-part text/plain) and convert it to a
multipart/mixed with a child part of the original text/plain, and then
apply the algorithm you have?

The impetus here is DKIM survivability across lists.  Suppose we had a DKIM
canonicalization that was MIME-aware, so that it could sign the specific
MIME parts or sets of parts.  That signature would fail on the message as a
whole -- with the footer part added -- but could in theory pass if an
appended part were omitted from canonicalization.  To put it in context,
suppose there were a DKIM canonicalization where the signer signed (using
your examples) the CDE message; the receiver gets FGHI which fails, but
also has enough information to know that merely verifying FGH will pass; it
then knows that FGH was "legitimate" and I was added post-signing, and may
or may not be "safe" (for some value thereof) content.

What I'm worried about with such a design is the trivial text/plain
message.  Obviously merely appending the footer destroys any hope of
validating only the original content.  We'd have to entertain the idea that
Mailman would make the simple message into a multipart/mixed + text/plain,
then append the footer part and sign that; the verifier would drop the
footer and then strip off the MIME to see if it can verify the original
signature that way.  That seems like its easy to get wrong, though it's
likely to be a very common case.

-MSK

More information about the Mailman-Developers mailing list