On 6/2/2009 08:05, Wietse Venema wrote:
Charles Lindsey:
On Mon, 01 Jun 2009 15:49:28 +0100, Barry Leiba
<barryleiba(_at_)computer(_dot_)org>
wrote:
I think it's a terrible idea to (1) leave signatures in a message
after you break them, (2) add A-R without removing any already there,
or (3) add A-R without a signature covering it.
And I, on the contrary, believe it is a terrible idea EVER to remove a
signature or an A-R header. There is never anything to be gained by
throwing away information that someone more perceptive than yourself might
find useful.
Except, of course, when the bad guys use this to have their bogus
signatures and their bogus A-R headers "laundered" by naive signers.
I agree. DKIM is supposed to make it easier for recipients to recognize the
few legitimate messages in the flood of unwanted, if not intentionally
malicious, messages that are presented to our servers. I see little, if any,
value in leaving broken signatures and the matching A-R headers in a message,
and a great deal of potential for problems resulting from the flawed assumption
that the signature must have been valid at some point in time, or it and its
matching A-R headers would not be present.
--
Paul Russell, Senior Systems Administrator
OIT Messaging Services Team
University of Notre Dame
Just because you're paranoid doesn't mean they aren't out to get you.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html