----- Original Message ----- From: "Miles Fidelman" <mfidelman@xxxxxxxxxxxxxxxx> To: <ietf@xxxxxxxx> Sent: Friday, May 02, 2014 1:51 PM Alessandro Vesely wrote: > > On Thu 01/May/2014 17:18:38 +0200 Dave Crocker wrote: > >> On 5/1/2014 8:22 AM, Phillip Hallam-Baker wrote: <snip> > 3. Actually developing something that plays nice with whitelists - as > there is now some discussion about (XOAR, whitelists, ....). > > > I'm not clear what you mean. Is there a standard that defines mailing > > lists? > > > There are some that approach it - like the SMTP extensions for > list-related headers. I personally think mailing list functionality is > well enough understood that we could improve on this, and incorporate > some standard authentication mechanisms in the process. > > Personally, I think some kind of standard that allows for: > - separate identification and signing/authentication of author, > originating MTA, list/forwarder would go a long way (I think this would > require additional headers and/or standardizing the use of existing > headers a bit more tightly) > - maybe an extra list header or two regarding reply-to (separate author, > author-errors, list, list-errors) > - a mechanism that allows a list to modify messages that doesn't break > incoming signatures, say: > --- separate "original-subject" "subject-with-tags""listname" headers > --- a well-specified way to add a header and/or footer to a message > (e.g., headers to indicate header-line-count, and footer-line-count) > --- provisions for MIME > --- i.e., a recipient can verify the original message and author, verify > changes that have been made by a listprocessor, run some checks on the > diffs, then make a decision on what to do with the message > - maybe some best practices for mail client presentation of information > to end users Miles I do not think that the behaviour of mailing lists is well enough defined and so the various authentication mechanisms have too much variation to cope with and so do not. I get mail from several IETF lists and - may or may not get a [tag] - may or may not have From: replaced by an IETF address - may have From: replaced by a nickname and no IETF address - usually get List: headers and so on and so forth. What I think is needed is a well-defined and short description of what a well-behaved mailing list might do, and then DKIM and such, or perhaps just a best practices thereof, could make mailing lists authentication-friendly I do not think it worth trying to do anything that calls for MUA changes - it will take too many decades to roll out. I think that DMARC has got this badly wrong, but that we have created enough pitfalls that they can easily do so. Tom Petch > > Miles Fidelman > > > > -- > In theory, there is no difference between theory and practice. > In practice, there is. .... Yogi Berra >