Eric Rescorla wrote:
I can't think of any reason that we would break existing signatures without some observable change in the DKIM-Signature header field. Either a change in some parameter (such as the change in canonicalization algorithm names between allman-00 and allman-01) or an increment in the version number. I consider such a change equivalent to a change in the hash algorithm from a compatibility standpoint: we could run the old and new versions in parallel as separate signatures.Jim Fenton <[EMAIL PROTECTED]> writes: A single message destined for a fair number of people would only be signed once, since we aren't signing the envelope addresses. The reason I'm more sensitive to verification load is the potential make-work attack from an attacker who generates valid-looking but invalid signatures (which are effectively free in terms of computation). This is described in more detail in section 4.1.6 of the threat document.That said, why are you less concerned with signers than verifiers? RSA signatures are much faster to verify than generate (about 20x) so even messages destined for a fair number of people tend to burden the signer more. And, of course, the verification load is likely to be more spread out.... -Jim |
_______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
