[ietf-dkim] NO DKIM "POLICY"
barryleiba at computer.org
Thu Feb 19 15:35:50 PST 2009
>> By design, a broken signature is equivalent to no signature.
> Yeah, that RFC 4871 anomaly "Failure Promotion to no signature" always
> did baffled me.
If either one were "better", attackers would just shift to the better
one. It's simple enough to use no signature at all, if no signature
is better than a broken one. Similarly, it's easy to fake a signature
if that way be better.
Making the cases equivalent means we don't have to try to deal with
convoluted heuristics that will only be attacked anyway.
But that's really a digression; please, let's not clutter the
discussion with that issue again.
More information about the ietf-dkim