On 6/12/2014 8:37 AM, Stephen J. Turnbull wrote: > Dave Crocker writes: > > > Hence this is merely the case of two, competing signatures and deciding > > which to choose. > > An invalid DKIM signature should not be treated differently from the > absence of that signature.
I wasn't referring to any 'invalid' signatures. When DKIM-Delegate is used, there are two, valid signatures for the same domain. One is 'stronger'. The scenario being discussed is for a recipient who gets both signatures when they are valid, but who does not know about DKIM-Delegate. They only know about DKIM. Folks who are receiving this email they are reading, via the [email protected], would get only one valid signature, since the 'stronger' one would be broken. On the other hand you, Stephen, are a direct recipient and ought to get two valid signatures. One stronger, one weaker. So your system needs to decide which one to prefer. It ought to prefer the 'stronger' one, but the point being raised is that this is not an issue that has been at issue until now. (Or, at least, not much of an issue until now.) My own response is that implementations of security-related software that do not attend to factors that make the security weaker have deeper problems than the one we are discussing now... I'm not sure about the intended precise > technical interpretation of that clause, but I suspect that some (many?) > verifiers will simply drop it from further consideration. > > In spoofed messages either the content-covering DKIM signature will be > invalid, or it will be missing. The concern is that the weaker signature (that I call a token, given how little of the message it is likely to cover) is more easily re-used for a replay attack. > So the valid signature matching -Delegate is indeed weak > (authenticates little content), but *there is no competing signature*. except for direct recipients (and mailing list recipients for lists that don't break the 'stronger' signature...) d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
