ietf-dkim
[Top] [All Lists]

[ietf-dkim] no signature or bad signature

2007-12-24 10:46:30
[Sounds like this message never got to the list, but it's in the
archives at http://mipassoc.org/pipermail/ietf-dkim/2007q4/008784.html ]

Wietse asked:

Is no signature equivalent to a bad signature?

For the pure authentication verification use case, where anything not
authenticated is inauthentic, there's no difference.

When debugging a DKIM installation on behalf of the signer (why some
messages don't verify when I thought they would, etc), I'd very much
want to know whether there was no signature or a bad/unverifiable
signature.

When calculating reputation on behalf of the verifier (which is out of
scope and will never be standardized, but is still a known valid use
case), I'd be inclined to record them as separate values...and then look
at additional data to determine whether it was more likely to be
accidental or malicious.

Will you give "no signature" equal treatment to "bad signature", or
will you give mail with bad signatures (such as a valid header that
was pasted on top of a forged body) more favorable treatment?

If we're talking about the pure authentication case, they'd get the same
treatment.  If we're talking about the debugging case, the verifier may
treat them the same way but the signer would want to know the difference
(as reflected in Murray's DKIM reporting draft.)  If we're talking about
the reputation case, the final treatment would depend on external
variables & calculation.

I recognize that these three are not the only use cases, but I think
they show a sufficient range.

--
J.D. Falk
Receiver Products
Return Path 

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>