On Wed, 06 Dec 2006 20:25:39 -0000, John Levine <johnl(_at_)iecc(_dot_)com>
wrote:
But of course I don't want them to be "likely to survive". I want a
system
that is robust enough that they "always survive".
As I recall, we agreed that is specifically not a goal of DKIM. If
you want a signing scheme designed to survive all sorts of hostile
gateways, there's already S/MIME. The limited c18n in DKIM is
intended to survive only the most common sorts of transit relays.
Unfortunately, S/MIME already suffers from exactly the same
bug^H^H^Hfeature, which is why I was surprised to see that DKIM has
followed that same broken path.
DKIM will have no effect on the present spam/phishing/malware scene unless
it is widely adopted. It will not be widely adopted unless it is seen to
be robust. In particular, it will not be adopted in countries (esp those
in Asia) where the character sets used are totally unlike ASCII if it can
only be made to work by forcing everything to be sent as 7bit. They just
cannot survive in an environment where textual messages 'on the wire'
cannot easily be read in that form. They will just resort to "send 8bits
anyway" which is already happening, even with headers, to a large extent,
because 99.9% of the time it actually works like that without problem.
That is why the parallel EAI effort has been mentined so often in these
discussions, because it is pulling in exactly the opposite direction to
this WG, and it is the Chinese and the Japanese who are pulling the
hardest.
Honestly, I'd be more inclined to go in the other direction and
deprecate the relaxed body c18n, since it is my impression that the
simple one works in practice for nearly any message that relaxed does,
and relaxed is more complicated and may be vulnerable to ASCII art
hacks.
It has been standard practice in PGP, since its inception, to ignore
trailing whitespace (unless you explicitly ask it not to). I have never
heard of a Bad Guy who managed to create a correctly signed message
message with usefully different content by taking advantage of that.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html