--On February 16, 2006 1:26:10 AM -0500 Hector Santos
<hsantos(_at_)santronics(_dot_)com> wrote:
Whether you know it or not, you are making indirect technical and
indirect local policy decisions with the assertion:
"bad signatures --> treat as if no signature was even present"
Yes, you are correct, which is why such wording is (supposed to be)
no more than a SHOULD or an informative comment. I do see that there
are several MUSTs that really ought to be converted to SHOULDs for
this to be true. This is a major enough change that I think it
should have further discussion; I'll ask Elliot to put it on the
issues list.
So just because you don't want to say anymore about Local Policies
or how invalid DKIM signatures are possible, saying it should be
treated as if as NO SIGNATURE is present, it is making a technical
and local policy decision.
I think it is a failed and flawed design concept and I have not been
convinced that it is not.
Our (or at least My) logic is as follows: in the short run, we know
there are agents out there that modify the message in various ways.
We might argue that they are wrong, but they do exist. We expect or
at least hope that DKIM will cause such agents to atrophy. At some
point there may be few enough of them that my advice will change, and
we can consider a bad signature to be a strong sign of probably
abuse. But for now I'm a firm believer that to do so would cause far
too many incorrect rejections.
That said, I do believe that this is verifier local policy, and I
support your right to implement your code however you deem
appropriate.
eric
_______________________________________________
NOTE WELL: This list operates according to
http://dkim.org/ietf-list-rules.html