On 25 May 2011, at 21:06, John R. Levine wrote: >>> It tells me signing and encryption certificates are valid and even their >>> root certificates are valid... >> >> Well, something's wrong with it. I checked the signature in Alpine, >> Thunderbird, and Evolution, and they all agree it's fine. > > I went back and looked in more detail. The problem appears to be that this > mailing list wraps the signed body in a MIME multipart/mixed section > including both the signed message and the unsigned footer. Some MUAs look > inside the mixed and see the signature, some don't. For the ones that do, I > haven't checked to see how if at all they distinguish the signed part from > the unsigned when they show you the message (shades of all the l= arguments.) > > So this tells me that existing mail software doesn't try very hard to recover > signatures from modified messages, even for simple changes that don't need > any guessing or heuristics to undo.
My client found the signature, otherwise it would not have commented on its validity. It just wasn't able to verify it. > Why would anyone think that the situation with DKIM would be any different? I don't know. I had the impression that you were claiming that S/MIME would work better than DKIM here. Perhaps it does, but it still doesn't seem to be bullet proof. I think the long term solution would be for mailing list software to stop mucking around with the message body, and for MUAs to work better at exposing meta data added by lists (like the list-unsubscribe header). My guess is that if the top five MUAs and the top ten webmail services were all to make good use of list-unsubscribe and list-id headers (and perhaps others), then many list operators would not feel the need to mess around with message bodies and subject lines. -- Ian Eiloart Postmaster, University of Sussex +44 (0) 1273 87-3148 _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html