ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] chained signatures, was l= summary

2009-05-25 09:09:55
But it wasn't. The FUD was actually increased, because the DKIM-Signature  
that was added doesn't cover the Authentication-Results header.

Chaining signatures with Authentication-Results is unlikely to work,
since with two or more levels of chaining, there is no reliable way to
tell which A-R header goes with which signature.

But since it is a Fundamentally Bad Idea, it doesn't matter, and there
is no security issue to fix.  If a message has one good signature and
a bunch of broken signatures, as will generally be the case here, you
ignore the broken ones and use the good one to evaluate the message.

Everybody I know filters list mail based on the identity of the list,
not the identity of the contributors, they have ever since there has
been mail filtering, and there is no reason to expect that to change
in the future.  I am baffled that people have wasted so much effort on
broken non-solutions to a non-existent problem.

A-R can be useful in some very narrow circumstances, where the channel
between the agent that applies the header and the agent that uses it
is secure.  The most likely setup is that it's applied as the message
is dropped into a mailbox on a server, and it's used by a MUA or local
filtering proxy that picks up the message via POP or IMAP.

R's,
John
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html