Eric Rescorla wrote:
Jim Fenton <fenton(_at_)cisco(_dot_)com> writes:
The reason
I'm more sensitive to verification load is the potential make-work
attack from an attacker who generates valid-looking but invalid
signatures (which are effectively free in terms of computation). This
is described in more detail in section 4.1.6 of the threat document.
I don't understand why this is a relevant consideration for whether
we *require* signers to do multiple signatures or not at this time.
In order for transitions to work properly, verifiers must be able
to process multiple signatures, so an attacker can exploit this
whatever the behavior of any individual signer.
I don't recall anyone suggesting that we require signers to do multiple
signatures (at least, I wasn't suggesting that). In any case, I agree
with your statement.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html