On Thu, 11 Nov 2010 17:55:55 -0000, Douglas Otis
<dotis(_at_)mail-abuse(_dot_)org>
wrote:
Once one DKIM verification vendor includes these necessary checks that
suppress DKIM PASS, and another vendor does not, DKIM implementations
are no longer compatible. IMHO, this represents a DKIM protocol failure
to properly define elements that MUST BE checked to qualify a DKIM PASS
verification result. The DKIM protocol may require future updates as
new exploits are discovered, or a significant design goal will have been
lost.
Actually, for the particular problem we are considering, this will not
arise.
In the scheme I have proposed, the Signer MUST do X and the Verifier MUST
check that the Signer had done X.
However, X only arises where there are multiple once-only headers (so the
message is already 5322 incompatible). So even if the (old) signer fails
(to sign both in this case), the (new) verifier is then merely rejecting a
message that was 5322-incompatible anyway, which is no big deal.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html