wayne wrote:
Despite asking several times on the MASS mailing list, I have yet to
see any data on the false positive rates for DK, IIM, William's DK-IIM
merged system, CSV, or SES. So far, all I've seen is people claiming
that their systems work better than SPF, with no data to back it up.
(Often, there is data to back up the claim that SPF has false
positives, but we *do* know that.)
We are starting to get some data on false positives (signature breakage)
for DK and IIM, but since the number of verifying domains at this point
is very small, it would raise more questions than it would answer if we
were to publish it. Success rates depend a lot on what the originating
and terminating domains' MTAs do with their messages, so having data
from a couple of domains is far from representative. It also depends on
things like whether the signer, in the case of DK, uses the optional h=
parameter to sign specific headers.
SPF breaks forwarding unless the sender uses SES, the forwarder uses
SRS, or the receiver uses a whitelist.
DK breaks mailing lists, and from what I can tell from reading MASS,
the DK folks don't see that as a problem. The other crypto systems at
least *try* to not break mailing lists, but it not at all clear how
well they do in practice. (SES looks like it will do the best, but it
requires some sort of call-back to work.)
The real answer is to have mailing lists re-sign their messages. While
IIM does try not to break mailing lists, and does in some cases, it's
imperfect and intended primarily as a expedient until they do.
If you'd like to discuss this more, let's move to the ietf-mailsig list.
-Jim