On 26/Oct/10 19:08, Murray S. Kucherawy wrote: > On Behalf Of Alessandro Vesely >> On 26/Oct/10 06:58, Murray S. Kucherawy wrote: >>> a verifying module might return a syntax error code or arrange not to >>> return a positive result even if the signature technically validates. >> >> -1. How does "might" differ from "MAY"? > > In a bunch of ways. In particular, though, it is deliberately not > RFC2119 language, partly because that's not generally done in > Security Considerations since that section is discussion > (informative) rather than protocol (normative).
But it affects the result! That way a verifier is encouraged to determine the validity of a signature based on heuristic criteria. This kind of checking belongs to scam filters a la SpamAssassin. Now, SA doesn't do it. Possibly, that's because it's statistically irrelevant. AFAIK, SA does not even analyze Authentication-Results, but re-checks signatures anew. Why? Suppose one day the double-From attack becomes trendy and SA developers will want to write code that checks for the valid-signature + added-From pattern. They would never be able to use A-R, because those results might be flawed by such non-normative arrangements: This is where that layer violation hurts. According to that text, it is strongly advised to have a scam filter /integrated/ within a DKIM verifier. Doesn't this slash the value of stand alone verifiers and A-R fields? JM2C _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
