Is no signature equivalent to a bad signature?
Is a bad signature the result of malice or accident?
Some don't distinguish between these cases, arguing that favoring
bad signatures over no signatures only encourages criminals to send
mail with bad signatures. For example:
Doug Otis:
This dubious strategy provides a significant incentive for bad actors to
insert "bogus" DKIM signatures.
Others believe that they can distinguish between malice and accident.
For example:
Charles Lindsey:
If a verifier believes he can give a better service to his clients (less
false positives, perhaps) by distinguishing whether the failure was in the
body hash or in the header hash, or even by trying to reverse engineer the
changes that had caused the previously good signature to become bad, then
he is welcome to try.
Now consider the case that you can't reverse engineer the damage.
At this point you can't distinguish between malice or accident.
Will you give "no signature" equal treatment to "bad signature",
or will you give mail with bad signatures (such as a valid header
that was pasted on top of a forged body) more favorable treatment?
Wietse
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html