ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Re: 99.6%

2007-12-21 16:19:08

On Dec 21, 2007, at 6:57 AM, Michael Thomas wrote:

Stephen Farrell wrote:
Hi Mike,

Michael Thomas wrote:

Yesterday, of the 32082 messages that Cisco sent through mailing lists, 99.6% of them passed verification.

That's an interesting number, higher than I'd have thought. I'd have guessed ~50%.

- any idea why its so high (are you doing anything odd in the signatures?)

l= with some z= magic. the point being that we understand the risks, and we don't want net.busybodies telling us what is best for us. If any of this becomes a real life problem -- which it is not -- there are plenty of other mitigations we can take.

What are the mitigations?

- what causes contribute to the 0.4%

there are definitely mailing lists out there that do things that we can't recover from -- yahoogroups as an example. More interestingly though, there are mailing lists managers that actually mangle the DKIM-signature itself under some circumstances -- would that we kept nowsp for the headers. Then the rest fall into a grab bag of different reasons.

Mailing lists removing _invalid_ signatures will not impact results obtained with mailing-list permissive settings. Removing invalid signatures better ensures evaluation of valid signatures.

In addition, it is a matter of interpretation as to whether a mailing- list should remove signatures prior signing. It is not that far fetched to predict dependence upon permissive signature settings and mailing lists not removing prior signatures is likely a recipe for future policy compliance problems and represents valid concerns when deciding upon policy assertions.

When exploits occur when using mailing-list permissive settings and restrictive policies--

-  what will be asked of the signer?

-  what will be asked of the verifier?

-  what will be asked of changes to the policy?

-Doug
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html