On 26/Oct/10 19:08, Murray S. Kucherawy wrote:
On Behalf Of Alessandro Vesely
On 26/Oct/10 06:58, Murray S. Kucherawy wrote:
a verifying module might return a syntax error code or arrange not to
return a positive result even if the signature technically validates.
-1. How does "might" differ from "MAY"?
In a bunch of ways. In particular, though, it is deliberately not
RFC2119 language, partly because that's not generally done in
Security Considerations since that section is discussion
(informative) rather than protocol (normative).
But it affects the result! That way a verifier is encouraged to
determine the validity of a signature based on heuristic criteria.
This kind of checking belongs to scam filters a la SpamAssassin.
Now, SA doesn't do it. Possibly, that's because it's statistically
irrelevant. AFAIK, SA does not even analyze Authentication-Results,
but re-checks signatures anew. Why? Suppose one day the double-From
attack becomes trendy and SA developers will want to write code that
checks for the valid-signature + added-From pattern. They would never
be able to use A-R, because those results might be flawed by such
non-normative arrangements: This is where that layer violation hurts.
According to that text, it is strongly advised to have a scam filter
/integrated/ within a DKIM verifier. Doesn't this slash the value of
stand alone verifiers and A-R fields?
JM2C
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html