Murray first raised the issue of weak signatures. Ale has revisited the topic by mentioning the transition to newer hash algorithms. We know that encryption algorithms get retired over time, and the time sequence looks like this: - trusted - deprecated - not trusted
When applied to DKIM signatures, we can conclude that "weakness" is an evaluation result, not a disposition result. A weak signature may not hinder acceptance during the "deprecated" period, but it may cause problems during the "not trusted" period. Weak results need to be part of the aggregate report so that domain owners understand the importance of moving from weak to strong signatures. Different evaluators will move to the "not trusted" state at different times, and aggregate reporting helps a domain owner understand his transition priorities. Implications for our texts: - DAMRC Evaluation does not exit upon finding an aligned and verified weak signature. Instead, the result is noted but the evaluation continues in hopes of finding an aligned and verified strong signature. - When reporting less than all results, strong results take precedence over weak ones. - DKIM results are reported as PASS, WEAK, or FAIL rather than simply PASS or FAIL. Sometime in the next week, I hope to submit proposed changes to the reporting text which reflect my recommendation to require only one signature result, while allowing more up to a safety limit such as 10. The notion of WEAK results will be included in that effort. Doug
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
