On 25 May 2011, at 21:06, John R. Levine wrote:
It tells me signing and encryption certificates are valid and even their
root certificates are valid...
Well, something's wrong with it. I checked the signature in Alpine,
Thunderbird, and Evolution, and they all agree it's fine.
I went back and looked in more detail. The problem appears to be that this
mailing list wraps the signed body in a MIME multipart/mixed section
including both the signed message and the unsigned footer. Some MUAs look
inside the mixed and see the signature, some don't. For the ones that do, I
haven't checked to see how if at all they distinguish the signed part from
the unsigned when they show you the message (shades of all the l= arguments.)
So this tells me that existing mail software doesn't try very hard to recover
signatures from modified messages, even for simple changes that don't need
any guessing or heuristics to undo.
My client found the signature, otherwise it would not have commented on its
validity. It just wasn't able to verify it.
Why would anyone think that the situation with DKIM would be any different?
I don't know. I had the impression that you were claiming that S/MIME would
work better than DKIM here. Perhaps it does, but it still doesn't seem to be
bullet proof.
I think the long term solution would be for mailing list software to stop
mucking around with the message body, and for MUAs to work better at exposing
meta data added by lists (like the list-unsubscribe header).
My guess is that if the top five MUAs and the top ten webmail services were all
to make good use of list-unsubscribe and list-id headers (and perhaps others),
then many list operators would not feel the need to mess around with message
bodies and subject lines.
--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html