[ietf-dkim] Accidental versus malicous error (was: SSP assist
DKIM)
J D Falk
jdfalk at returnpath.net
Fri Dec 21 16:41:50 PST 2007
Wietse asked:
> Is no signature equivalent to a bad signature?
For the pure authentication verification use case, where anything not
authenticated is inauthentic, there's no difference.
When debugging a DKIM installation on behalf of the signer (why some
messages don't verify when I thought they would, etc), I'd very much
want to know whether there was no signature or a bad/unverifiable
signature.
When calculating reputation on behalf of the verifier (which is out of
scope and will never be standardized, but is still a known valid use
case), I'd be inclined to record them as separate values...and then look
at additional data to determine whether it was more likely to be
accidental or malicious.
> Will you give "no signature" equal treatment to "bad signature", or
> will you give mail with bad signatures (such as a valid header that
> was pasted on top of a forged body) more favorable treatment?
If we're talking about the pure authentication case, they'd get the same
treatment. If we're talking about the debugging case, the verifier may
treat them the same way but the signer would want to know the difference
(as reflected in Murray's DKIM reporting draft.) If we're talking about
the reputation case, the final treatment would depend on external
variables & calculation.
I recognize that these three are not the only use cases, but I think
they show a sufficient range.
--
J.D. Falk
Receiver Products
Return Path
More information about the ietf-dkim
mailing list