On 10/18/2017 09:18 AM, Dimitri Maziuk wrote:
Then you seem to misunderstand what crypto signatures actually do.
I believe I understand what the crypto signatures actually do.
We are each entitled to decide what to actually do based on the result
of the crypto signature (in)validity.
If signature check fails, then the message is not what its author
actually wrote. IRL it's mainly SorceForge and the like injecting its
ads into signed parts, (and the real reason google is pushing https and
dkim so hard is it's messing with their ad revenue,) but in principle if
the check fails the message *content* is *invalid*. Whoever the author
and whatever the content.
I believe I remember (but can't point to) something in the DKIM spec
that referenced the possibility that the DKIM signature could be broken
by things as benign as an MTA doing a content transfer encoding
conversion. - I have personally seen this.
As such, you can't be 100% positive that the message content's meaning /
copy has actually changed, just that something about the message has
changed. - Thus it is advised to only treat valid signatures as a good
thing and be cautious of treating invalid signatures as a bad thing.
I use DKIM validity as a signal that I then make decisions based on. -
Hence why I have chosen to alter spam score on my mail server based on
the DKIM result.
--
Grant. . . .
unix || die
------------------------------------------------------
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org