On Dec 21, 2007, at 6:57 AM, Michael Thomas wrote:
Stephen Farrell wrote:
Hi Mike,
Michael Thomas wrote:
Yesterday, of the 32082 messages that Cisco sent through mailing
lists, 99.6% of them passed verification.
That's an interesting number, higher than I'd have thought. I'd
have guessed ~50%.
- any idea why its so high (are you doing anything odd in the
signatures?)
l= with some z= magic. the point being that we understand the risks,
and we don't want net.busybodies telling us what is best for us. If
any of this becomes a real life problem -- which it is not -- there
are plenty of other mitigations we can take.
What are the mitigations?
- what causes contribute to the 0.4%
there are definitely mailing lists out there that do things that we
can't recover from -- yahoogroups as an example. More interestingly
though, there are mailing lists managers that actually mangle the
DKIM-signature itself under some circumstances -- would that we kept
nowsp for the headers. Then the rest fall into a grab bag of
different reasons.
Mailing lists removing _invalid_ signatures will not impact results
obtained with mailing-list permissive settings. Removing invalid
signatures better ensures evaluation of valid signatures.
In addition, it is a matter of interpretation as to whether a mailing-
list should remove signatures prior signing. It is not that far
fetched to predict dependence upon permissive signature settings and
mailing lists not removing prior signatures is likely a recipe for
future policy compliance problems and represents valid concerns when
deciding upon policy assertions.
When exploits occur when using mailing-list permissive settings and
restrictive policies--
- what will be asked of the signer?
- what will be asked of the verifier?
- what will be asked of changes to the policy?
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html