On Tue, 02 Jun 2009 14:24:43 +0100, Michael Thomas <mike(_at_)mtcc(_dot_)com>
wrote:
Wietse Venema wrote:
Charles Lindsey:
On Mon, 01 Jun 2009 15:49:28 +0100, Barry Leiba
<barryleiba(_at_)computer(_dot_)org>
wrote:
I think it's a terrible idea to (1) leave signatures in a message
after you break them, (2) add A-R without removing any already there,
or (3) add A-R without a signature covering it.
A signature covering it? That's quite a new requirement for a-r and
one that nobody that I'm aware is following.
It is such a blatantly obvious necessity that I am surprised it is
occasioning such surprise.
WTF is the point of inserting an A-R header if you are not willing to take
responsibility for what you have done by signing it?
And why should anyone else believe your A-R if you have omitted that
elementary step?
In any case, removing signatures seriously sucks from a forensics
standpoint. The DKIM rule is that if they're broken, they're equivalent
to not existing. Leaving signatures in hurts *nothing*, and
provides a lot of feedback to the original sender if needed to
diagnose why signatures failed.
+1. That is exact;y the point I was trying to make.
This shit happens in the real world. Often.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html