> -----Original Message----- > From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] > On Behalf Of Charles Lindsey > Sent: Friday, July 08, 2011 3:59 AM > To: DKIM > Subject: Re: [ietf-dkim] Final update to 4871bis for working group review > > > My favourite counterexample, which I've used many times already, is > > Mailman. It doesn't even check DKIM signatures, but you can still fake > > your way through its authorization process such that a different From: > > is shown to the user for some MUAs. > > Can you please give me a pointer to that?
The source code. I also recall looking at Spamassassin and/or procmail, and majordomo, and finding the same thing. > If DKIM is not intended to give added credance to messages, then what on > earth is its purpose at all. That question is answered numerous times in the draft, namely the Abstract and Sections 1, 1.2, 1.5, 2.5, 2.7, 3.9, 3.11, 6.3, and 8.15 (and other parts of 8). > Yes, it needs to be interpreted with care and > understanding, and our Security Considerations are the vehicle for > improving that understanding. Indeed. > I suspect may assessors will use a scoring system (like Spamassassin), > where a signed message, even from a totally unknown domain, will add some > positive contribution. The text in the current draft spells that out as a bad idea. Moreover, I see on Apache's website that right now Spamassassin penalizes a message 0.001 for being signed, but removes that penalty if the signature verifies. -MSK _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
