Wietse Venema wrote: > Charles Lindsey: >> On Mon, 01 Jun 2009 15:49:28 +0100, Barry Leiba <barryle...@computer.org> >> wrote: >> >>> I think it's a terrible idea to (1) leave signatures in a message >>> after you break them, (2) add A-R without removing any already there, >>> or (3) add A-R without a signature covering it.
A signature covering it? That's quite a new requirement for a-r and one that nobody that I'm aware is following. >> And I, on the contrary, believe it is a terrible idea EVER to remove a >> signature or an A-R header. There is never anything to be gained by >> throwing away information that someone more perceptive than yourself might >> find useful. > > Except, of course, when the bad guys use this to have their bogus > signatures and their bogus A-R headers "laundered" by naive signers. People who use bogus information to make go/no-go decisions quite literally get what they deserve. Why single out DKIM? In any case, removing signatures seriously sucks from a forensics standpoint. The DKIM rule is that if they're broken, they're equivalent to not existing. Leaving signatures in hurts *nothing*, and provides a lot of feedback to the original sender if needed to diagnose why signatures failed. This shit happens in the real world. Often. Mike _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html