--On February 10, 2006 6:34:08 PM -0500 Hector Santos
<hsantos(_at_)santronics(_dot_)com> wrote:
Our implementation will be to reject all illegal DKIM
implementations, the form, the syntax, etc - regardless of any
relaxed DKIM specification or recommendation and especially of any
accreditation system saying otherwise including augmented fee-based
tokens.
Hector, are you saying that you intend to ignore MUSTs in the spec?
For example, the spec says that verifiers MUST ignore any tags that
they do not implement. This can be viewed as a "relaxed" view, but
it is critical to allow future extensions.
If you're just talking about the x=-1019102801 issue (and things of
that sort, i.e., malformed entries that the verifier does understand)
then I'm in total agreement, and I think the existing draft already
covers that. For example, section 6.1 includes:
Implementers MUST meticulously validate the format and values
in the "DKIM-Signature:" header field; any inconsistency or
unexpected values MUST result in an unverified email. Being
"liberal in what you accept" is definitely a bad strategy in
this security context. Note however that this does not
include the existence of unknown tags in a "DKIM-Signature"
header field, which are explicitly permitted.
Since the ABNF for the x= tag reads:
sig-x-tag = %x78 [FWS] "=" [FWS] 1*12DIGIT
the hyphen/dash/minus is clearly out of spec.
[I do see one error however; that statement should probably say "MUST
cause the header field to be completely ignored", which is consistent
with the wording in the rest of section 6.]
eric
_______________________________________________
NOTE WELL: This list operates according to
http://dkim.org/ietf-list-rules.html