Paul Hoffman wrote:
At 12:16 PM -0800 3/15/06, Michael Thomas wrote:
Paul Hoffman wrote:
It is far safer to assume that any of the signed headers might be
broken, and to encourage systems (such as mailing lists) that are
known to break DKIM signatures to sign after they break them.
And then what?
And then the receiver validates the signatures.
And then what? What would you have my receiver do differently just
because some random third party inserted a signature?
Everybody wants to hand-wave this issue away with the majikal "list
signature",
but the reality is that they are not obviously useable to somebody
who has
actually written lots of code in this area.
They are not usable today because the -00 spec does not say how to
handle multiple signatures. That can, and should, be changed in the spec.
That's not where the problem lies. In any case, we're only talking about
one valid signature since the mailing list torqued the original signature.
Mike
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html