Let us remember that DKIM+Policy were separated into two protocols; a DKIM-BASE layer and a secondary domain signing practice layer (SSP which evolved to ADSP). Making an invalid signature equal to a missing signature concept was a security logic which allowed for the exclusive or strict signing domain policies to exist and work with one single short circuiting policy handling state/event condition:
If policy.strict and signature.missing or invalid then negatively classify; You must make invalid be the same as missing from a rejection or functional equivalent negative classification standpoint otherwise you have a security loophole. While DKIM-BASE tried to clean up this separation of the author domain policy, it could not because of all the past existing ADSP or SSP references in the many DKIM related RFCs, see RFC6376, section 1.1. But conceptually, it didn't matter what you called it. It was an author domain signing policy protocol and today, it's called DMARC. DKIM has no payoff with just base signing analysis . It was separated but with all the intentions of sticking secondary author policy and signer trust layers on it before a payoff was realized. -- Hector Santos http://www.santronics.com > On Jun 19, 2014, at 12:49 PM, S Moonesamy <sm+i...@elandsys.com> wrote: > > Hi Matt, > At 18:58 15-06-2014, Matt Simerson wrote: >> Yes, it does. But SA uses the results of Mail::DKIM heuristically and a DKIM >> failure is frequently not a sufficient basis for rejection. > > During the (old) DKIM discussions there was a view that the result of a DKIM > verification was to be used as input for policy decisions. That is similar > to the above. This was also discussed on a SMTP mailing list [1]. There is > the following recommendation in RFC 6376: > > "Therefore, a Verifier SHOULD NOT treat a message that has one or more > bad signatures and no good signatures differently from a message with > no signature at all." > > Regards, > S. Moonesamy > > 1. http://www.ietf.org/mail-archive/web/ietf-smtp/current/msg01487.html > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
