Since mention of DK has raised it's head, has anyone explained why
they violated standards and left off the "X-" in front of
"DomainKey-Signature:", or to get even more to the brutal point, has
anyone noticed that the bloke creating all the domainkey
specification documents appears to have begun this with no background
in either security/cryptography (eg: initially recommended assymetric
key sizes that were crackable in mere seconds), nor in email (eg:
utterly ignores the fact that headers get inserted everywhere nowdays
(eg: spam/virus/etc scanners) and that contents get changed by MTAs
(eg: quoted<=>8bit), nor even in programming (eg: his idea of
"folding cr/lf/blankspace" is just to remove it all), and for that
matter, common sense (S/MIME already exists; the entire DK system
could have been rolled out with S/MIME just by attaching the headers
before the signature, people might want to verify old emails, etc etc).
If he'd even bothered to send some test emails before he started down
the "sign the entire email route", he would not doubt have noticed
that emails change between sender and recipient/or/DK-verifier, and
he's looking at insanely unacceptable false-positive rates
Proposing to the world a "solution" that's going to cause loads more
legitimate sender emails to vanish was totally unethical.
For a really full-hearted laugh, verify all the DK sigs on
spf-discuss(_at_)v2(_dot_)listbox(_dot_)com - (hint: they all fail)
On a different note: It's amusing to see other people starting to cry
foul now that the lack of integrity and honesty of people involved in
"white paper writing" is getting more overt. I urge all of you to not
accept this blatant dishonesty: if something's broken in
SPF/DK/SID/etc, state so honestly and upfront and stop sweeping all
the nasties under the carpet. Nobody likes to hear people like me
whinging, and still fewer people want to waste days setting up SPF/etc
on their systems only to discover it trashes loads more legit emails
than anyone told them it would.
Kind Regards,
Chris Drake