[Sounds like this message never got to the list, but it's in the archives at http://mipassoc.org/pipermail/ietf-dkim/2007q4/008784.html ]
Wietse asked: > Is no signature equivalent to a bad signature? For the pure authentication verification use case, where anything not authenticated is inauthentic, there's no difference. When debugging a DKIM installation on behalf of the signer (why some messages don't verify when I thought they would, etc), I'd very much want to know whether there was no signature or a bad/unverifiable signature. When calculating reputation on behalf of the verifier (which is out of scope and will never be standardized, but is still a known valid use case), I'd be inclined to record them as separate values...and then look at additional data to determine whether it was more likely to be accidental or malicious. > Will you give "no signature" equal treatment to "bad signature", or > will you give mail with bad signatures (such as a valid header that > was pasted on top of a forged body) more favorable treatment? If we're talking about the pure authentication case, they'd get the same treatment. If we're talking about the debugging case, the verifier may treat them the same way but the signer would want to know the difference (as reflected in Murray's DKIM reporting draft.) If we're talking about the reputation case, the final treatment would depend on external variables & calculation. I recognize that these three are not the only use cases, but I think they show a sufficient range. -- J.D. Falk Receiver Products Return Path _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
