> On 21 Dec 2023, at 17:13, John R Levine via mailop <mailop@mailop.org> wrote: > > On Thu, 21 Dec 2023, Mike Hillyer wrote: >> John Said: >> >>> I'm sure that Google has code somewhere that can validate ED25519 >>> signatures. But that does not mean that it would be a good idea for them >>> to use that code in production today and try to update their reputation >>> systems to deal with the dual signing that implies. >> >> With the number of messages already arriving with multiple DKIM signatures I >> can't imagine their reputation systems don't already handle dual signing >> just fine. Granted this would be two signatures on the same domain, but that >> seems that a small change from handling a signature on the From plus one >> from the ESP and maybe even one for the list-unsubscribe domain. > > If there's two signatures for the same domain, one is good and one is bad, > which do you believe? I know what the spec says, but we have no practical > experience.
For a while we were checking DKIM with 2 different parsers. There were keys that passed in one parser and not the other. It was consistent across signing - so all microsoft signatures failed with parser 1 and passed with parser 2. But there were other signatures that passed with parser 1 and failed with parser 2. Point is, I have orthogonal experience to the one you’re positing: same signature, 2 different results using two different parsers. I believed the one that passed (ie, I believed it was validly signed by the responsible domain). Laura > In any event, as I've said at least three times now, RSA keys are fine for > the forseeable future so there is no benefit to using ED25519 keys unless > there is an unexpected key break. -- The Delivery Expert Laura Atkins Word to the Wise la...@wordtothewise.com Delivery hints and commentary: http://wordtothewise.com/blog
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
