I would assume that a valid unbroken signature would be reputation
checked and lightly filtered
Where a broken or no signature would get full scrutiny by all the tools
at my site.
That is the easiest way (for me) to handle the message flow
Thanks,
Bill Oxley
Messaging Engineer
Cox Communications
404-847-6397
-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Wietse Venema
Sent: Wednesday, December 19, 2007 9:56 AM
To: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: [ietf-dkim] Accidental versus malicous error (was: SSP assist
DKIM)
Is no signature equivalent to a bad signature?
Is a bad signature the result of malice or accident?
Some don't distinguish between these cases, arguing that favoring
bad signatures over no signatures only encourages criminals to send
mail with bad signatures. For example:
Doug Otis:
This dubious strategy provides a significant incentive for bad actors
to
insert "bogus" DKIM signatures.
Others believe that they can distinguish between malice and accident.
For example:
Charles Lindsey:
If a verifier believes he can give a better service to his clients
(less
false positives, perhaps) by distinguishing whether the failure was in
the
body hash or in the header hash, or even by trying to reverse engineer
the
changes that had caused the previously good signature to become bad,
then
he is welcome to try.
Now consider the case that you can't reverse engineer the damage.
At this point you can't distinguish between malice or accident.
Will you give "no signature" equal treatment to "bad signature",
or will you give mail with bad signatures (such as a valid header
that was pasted on top of a forged body) more favorable treatment?
Wietse
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html