Debian Bug report logs - #500965
lists.debian.org: Should remove DKIM and DomainKey headers

Package: lists.debian.org; Maintainer for lists.debian.org is Debian Listmaster Team <listmaster@lists.debian.org>;

Reported by: Russell Coker <russell@coker.com.au>

Date: Fri, 3 Oct 2008 01:21:02 UTC

Severity: wishlist

Merged with 642134

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Listmaster Team <listmaster@lists.debian.org>:
Bug#500965; Package lists.debian.org. (Fri, 03 Oct 2008 01:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russell Coker <russell@coker.com.au>:
New Bug report received and forwarded. Copy sent to Debian Listmaster Team <listmaster@lists.debian.org>. (Fri, 03 Oct 2008 01:21:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: lists.debian.org: Should remove DKIM and DomainKey headers
Date: Fri, 03 Oct 2008 11:19:31 +1000
Package: lists.debian.org
Severity: normal

Gmail sends out all mail signed with DKIM and DomainKeys, the DKIM
signatures do not include a length field so any change to the message
length (such as appending a list footer) will break the signature.

To deal with this problem the default configuration of the Mailman
package in Lenny will strip all DKIM and DomainKeys headers
(DKIM-Signature and DomainKey-Signature are the names of the headers in
question).

I think that the ideal functionality of a list server in this regard
would be to leave DKIM headers with a length field IFF the list in
question is not configured to prepend the list name to the subject line.
If the DKIM header has no length field or the subject line is to be
modified then it needs to be stripped.  But the functionality of Mailman
in Lenny is adequate.

The current situation is that anyone who configures their mail server to
reject messages that fail the DKIM checks will reject every message sent
to a Debian mailing list from Gmail (which is a moderate amount of
mail).




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Listmaster Team <listmaster@lists.debian.org>:
Bug#500965; Package lists.debian.org. (Fri, 03 Oct 2008 09:03:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Viehmann <tv@beamnet.de>:
Extra info received and forwarded to list. Copy sent to Debian Listmaster Team <listmaster@lists.debian.org>. (Fri, 03 Oct 2008 09:03:08 GMT) Full text and rfc822 format available.

Message #10 received at 500965@bugs.debian.org (full text, mbox):

From: Thomas Viehmann <tv@beamnet.de>
To: Russell Coker <russell@coker.com.au>, 500965@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#500965: lists.debian.org: Should remove DKIM and DomainKey headers
Date: Fri, 03 Oct 2008 11:02:09 +0200
severity important
thanks

Hi Russel,

thanks for alerting us of this problem.

Russell Coker wrote:
[ signatures in DKIM-Signature and DomainKey-Signature broken by
  appending a footer]

For lists where the footer only contains unsubscription information, an
alternative to removing the headers could be appending the footer only
on non-signed mail.
Of course, even more preferable would be if people designing standards
would not expect users to change the ways they sign messages (l=) based
on whether it's going to be sent to a list or not as the only way to
accommodate common existing practices.

Kind regards

T.
-- 
Thomas Viehmann, http://thomas.viehmann.net/




Severity set to `important' from `normal' Request was from Thomas Viehmann <tv@beamnet.de> to control@bugs.debian.org. (Fri, 03 Oct 2008 10:48:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Listmaster Team <listmaster@lists.debian.org>:
Bug#500965; Package lists.debian.org. (Fri, 03 Oct 2008 11:06:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Debian Listmaster Team <listmaster@lists.debian.org>. (Fri, 03 Oct 2008 11:06:05 GMT) Full text and rfc822 format available.

Message #17 received at 500965@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Thomas Viehmann <tv@beamnet.de>
Cc: 500965@bugs.debian.org
Subject: Re: Bug#500965: lists.debian.org: Should remove DKIM and DomainKey headers
Date: Fri, 3 Oct 2008 21:03:37 +1000
On Friday 03 October 2008 19:02, Thomas Viehmann <tv@beamnet.de> wrote:
> Of course, even more preferable would be if people designing standards
> would not expect users to change the ways they sign messages (l=) based
> on whether it's going to be sent to a list or not as the only way to
> accommodate common existing practices.

I challenge you to design a way of signing messages that doesn't have this 
issue.

I can't think of a better way of doing this, and I am really interested to 
hear any proposals of better ways of doing it.  Last time I checked DKIM 
wasn't finalised so you can suggest changes to it...




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Listmaster Team <listmaster@lists.debian.org>:
Bug#500965; Package lists.debian.org. (Fri, 03 Oct 2008 12:03:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Viehmann <tv@beamnet.de>:
Extra info received and forwarded to list. Copy sent to Debian Listmaster Team <listmaster@lists.debian.org>. (Fri, 03 Oct 2008 12:03:05 GMT) Full text and rfc822 format available.

Message #22 received at 500965@bugs.debian.org (full text, mbox):

From: Thomas Viehmann <tv@beamnet.de>
To: russell@coker.com.au
Cc: 500965@bugs.debian.org
Subject: Re: Bug#500965: lists.debian.org: Should remove DKIM and DomainKey headers
Date: Fri, 03 Oct 2008 14:00:23 +0200
Hi Russell,

Russell Coker wrote:
> On Friday 03 October 2008 19:02, Thomas Viehmann <tv@beamnet.de> wrote:
>> Of course, even more preferable would be if people designing standards
>> would not expect users to change the ways they sign messages (l=) based
>> on whether it's going to be sent to a list or not as the only way to
>> accommodate common existing practices.
> 
> I challenge you to design a way of signing messages that doesn't have this 
> issue.

> I can't think of a better way of doing this, and I am really interested to 
> hear any proposals of better ways of doing it.  Last time I checked DKIM 
> wasn't finalised so you can suggest changes to it...
I thought it was an RFC by now. The obvious way would be signing the
footer part that we added (by, say, having a start and lenght field and
allowing multiple signatures), having "well-signed" mean "signature
headers covering everything".
People wishing to implement some policy could impose restrictions of
content covered by "auxiliary signatures". Naturally, another sane
policy would be requiring timely delivery of messages relative to the
oldest signature.

But this is offtopic here, maybe it'd be worth wile to take it up to the
dkim-people, but until they decidedly need input and are prepared to fix
this, I'm not too sure it's good use of my time nor whether my ideas on
the subject have significant drawbacks.[1]

Yes, it's not ideal that we're appending stuff, but we still get mail
from people not being able to figure out how to unsubscribe at a rate of
about 1/per day.

Kind regards

T.

1. I once had a conversation with an IMAP expert participating in the
   standards process and was surprised how they did not have globally
   unique identifiers. There are some things to be considered, but the
   security concerns he cited seemed to be easy enough to eliminate.
-- 
Thomas Viehmann, http://thomas.viehmann.net/




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Listmaster Team <listmaster@lists.debian.org>:
Bug#500965; Package lists.debian.org. (Fri, 03 Oct 2008 22:33:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Listmaster Team <listmaster@lists.debian.org>. (Fri, 03 Oct 2008 22:33:07 GMT) Full text and rfc822 format available.

Message #27 received at 500965@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: Russell Coker <russell@coker.com.au>
Cc: Thomas Viehmann <tv@beamnet.de>, 500965@bugs.debian.org
Subject: Re: Bug#500965: lists.debian.org: Should remove DKIM and DomainKey headers
Date: Fri, 3 Oct 2008 23:29:12 +0100
[Message part 1 (text/plain, inline)]
This one time, at band camp, Russell Coker said:
> On Friday 03 October 2008 19:02, Thomas Viehmann <tv@beamnet.de> wrote:
> > Of course, even more preferable would be if people designing standards
> > would not expect users to change the ways they sign messages (l=) based
> > on whether it's going to be sent to a list or not as the only way to
> > accommodate common existing practices.
> 
> I challenge you to design a way of signing messages that doesn't have this 
> issue.

PGP and GPG seem to do it right.  Given that they've existed for ages,
do it correctly, and actually have some measure of believability, I'm
not sure why another standard was needed for signing things, much less
why we should all change all our existing practices to accomodate a
poorly thought scheme.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Severity set to `wishlist' from `important' Request was from Cord Beermann <cord@debian.org> to control@bugs.debian.org. (Thu, 23 Apr 2009 20:51:07 GMT) Full text and rfc822 format available.

Severity set to `wishlist' from `wishlist' Request was from Cord Beermann <cord@Wunder-Nett.org> to control@bugs.debian.org. (Thu, 23 Apr 2009 22:36:05 GMT) Full text and rfc822 format available.

Merged 500965 642134 Request was from debdev@tonelli.sns.it (A Mennucc) to control@bugs.debian.org. (Tue, 04 Dec 2012 17:42:06 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 08:50:12 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.