At 03:43 AM 10/28/2004 -0700, william(at)elan.net wrote:
My understanding is that IIMs latest proposal includes count on number of
bytes in the text so the signature probably survive simple additionl of
text at the end. I kindof knew they would be doing it back from last IETF
but I'm not certain its enough to deal with mail lists fully.
Correct. Our experience thus far is that it's working pretty well. This
mailing list is easy; all it does is add an extra CRLF before the body which
the "nofws" canonicalization takes care of. But IIM also works for the ASRG
list that adds a footer and adds [ASRG] to the subject line.
On the other hand it's also a fundamental requirement that a scheme
should have a way to advertise to the world that all mail from a given
address will be signed. Without that you can't just reject unsigned mail
up-front. And according to William's table, IIM lacks that too.
If I'm not mistaken they've added "null key" record that is supposed to
serve this purpose. In any case policy records are easy to add by means
of SPF modifier when we need it.
"null key" checking indeed does that. By the way, if anyone looks at that and
sees our use of DNS wildcards (to address the subdomain attack) and feels that
won't entirely work, you're right. We're working on an alternative once we
have done a little more testing to make sure it'll work reliably.
-Jim