On Jun 5, 2006, at 9:14 AM, Michael Thomas wrote:
Eliot Lear wrote:
Douglas Otis wrote:
Remainder from last jabber:
K. Otis, signature removal
http://mipassoc.org/pipermail/ietf-dkim/2006q2/003764.html
Now 1287.
Wait a minute, hasn't this been discussed ad nauseum with the clear
consensus to leave this text in?
Do you have a reference to this discussion? The concern raised is
about the normative language in the -base draft regarding the removal
of signatures.
Signers SHOULD NOT remove any DKIM-Signature header fields from
messages they are signing, even if they know that the signatures
cannot be verified.
When a provider becomes aware of a technique creating a DoS exploit
by adding signatures tar-pitting recipients, this language appears to
discourage a defensive action. DKIM base has yet to resolve how to
handle multiple signatures or consider any related DoS issues. Until
then, it seems cavalier to indicate, even if the signature is known
to be invalid, all existing signatures must be retained.
It seems a growing portion of email content might become invalid
signatures.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html