Barry Leiba wrote: >>> Levine wrote: >>> >>> By design, a broken signature is equivalent to no signature. > >> Yeah, that RFC 4871 anomaly "Failure Promotion to no signature" always >> did baffled me. > > If either one were "better", attackers would just shift to the better > one. It's simple enough to use no signature at all, if no signature > is better than a broken one. Similarly, it's easy to fake a signature > if that way be better. > > Making the cases equivalent means we don't have to try to deal with > convoluted heuristics that will only be attacked anyway. > > But that's really a digression; please, let's not clutter the > discussion with that issue again.
Levine brought it up. The question was if a NULL Key will help expose an inherent NO DKIM policy (sans ADSP). He said the lack of one will be better. We got multiple answers to this, including thats its not possible. So the question is still up in the air as to how a DOMAIN can protect itself against obvious spoofed, fraud in the form of unauthorized signed messages. Its one thing to say or indicate, maybe as a matter of corporate public policy, "we will always sign our mail", it is equally important to say "we don't or never sign our mail for XYZ domains" -- Sincerely Hector Santos http://www.santronics.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
