On 6/2/2009 08:05, Wietse Venema wrote: > Charles Lindsey: >> On Mon, 01 Jun 2009 15:49:28 +0100, Barry Leiba <[email protected]> >> wrote: >> >>> I think it's a terrible idea to (1) leave signatures in a message >>> after you break them, (2) add A-R without removing any already there, >>> or (3) add A-R without a signature covering it. >> And I, on the contrary, believe it is a terrible idea EVER to remove a >> signature or an A-R header. There is never anything to be gained by >> throwing away information that someone more perceptive than yourself might >> find useful. > > Except, of course, when the bad guys use this to have their bogus > signatures and their bogus A-R headers "laundered" by naive signers. >
I agree. DKIM is supposed to make it easier for recipients to recognize the few legitimate messages in the flood of unwanted, if not intentionally malicious, messages that are presented to our servers. I see little, if any, value in leaving broken signatures and the matching A-R headers in a message, and a great deal of potential for problems resulting from the flawed assumption that the signature must have been valid at some point in time, or it and its matching A-R headers would not be present. -- Paul Russell, Senior Systems Administrator OIT Messaging Services Team University of Notre Dame Just because you're paranoid doesn't mean they aren't out to get you. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
