On 19 May 2011, at 18:19, Murray S. Kucherawy wrote:
>> -----Original Message-----
>> From: [email protected] [mailto:[email protected]]
>> On Behalf Of Ian Eiloart
>> Sent: Thursday, May 19, 2011 3:21 AM
>> To: John Levine
>> Cc: <[email protected]>
>> Subject: Re: [ietf-dkim] New canonicalizations
>>
>> Probably true, but if the difference between 10% broken and 8% broken
>> signatures is independent of whether the email is spam, then actually
>> "relaxed" seems to be producing a 20% reduction in signature breakage.
>>
>> I'd argue that a 20% reduction in broken signatures *is* actually "much
>> better".
>
> That statistic is largely meaningless unless there's a basis for comparison.
> For example, it would be useful to observe that the same message, sent with
> each of the four canonicalizations, to the same set of destinations using the
> same endpoint software, produced different results given that one changing
> variable. But if domain X only ever tried sending with relaxed/relaxed and
> generally gets good results, there's nothing in that datum to say that
> simple/simple would not have worked just as well for the same sender with the
> same mail. Thus I don't believe there's enough data to support your
> conclusion.
Well, nor do I really. I'm just pointing out that IF IF IF the 10% and 8%
figures are real then it's the 10% and 8% that you need to be comparing (that's
a 20% improvement) not the 90% and 92% (a trivial improvement).
However, someone else pointed out that spammers and non-spammers seem to have
similar patterns of using simple and relaxed. If that's the case, then we've
eliminated one potential problem with the data.
> That relaxed/relaxed appears to survive 20% more might be based on the fact
> that the people using it send clean mail through clean paths, and it's as
> simple as that.
True. Though I've found that maybe one third of messages that I see with a bad
signature also carry a good signature.
>> To determine that, we'd need a pareto analysis of breakage modes.
>> Presumably lists that aren't re-signing are responsible for some of
>> this, as are broken signing mechanisms. The questions remaining are,
>> "is there anything left after excluding those two cases?", and "how
>> much of that could be fixed easily?".
>
> Our stats are unable to tell what the problem is in all cases, but for mail
> we've received where the signer used the "z=" tag, the biggest signature
> breaker in terms of header changes is modified To: fields. I suspect that's
> either rewriting by lists to add the list description as a comment, or
> improperly quoted comment fields that are corrected along the way.
For May, so far, I see these canonicalisations for good signatures:
206136 c=relaxed/relaxed
55748 c=relaxed/simple
1 c=simple/relaxed
29207 c=simple/simple
I also see these problems:
5816 invalid - public key record (currently?) unavailable
364 signing domains
3772 invalid - syntax error in public key record
93 signing domains
And these for bad signatures:
22577 c=relaxed/relaxed (9.9%)
but 6087 (27%) of these are from yahoogroups.com, and almost all also
carry a good signature!
4065 c=relaxed/simple (6.7%)
6 c=simple/relaxed
3094 c=simple/simple (9.6%)
And these are the failure reasons:
simple/simple:
1992 body hash mismatch (body probably modified in transit)]
1102 signature did not verify (headers probably modified in transit)]
relaxed/simple:
2796 body hash mismatch (body probably modified in transit)]
1269 signature did not verify (headers probably modified in transit)]
relaxed/relaxed:
1824 body hash mismatch (body probably modified in transit)]
20753 signature did not verify (headers probably modified in transit)]
d=yahoogroups.com:
9 body hash mismatch (body probably modified in transit)]
5949 signature did not verify (headers probably modified in transit)]
--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
