Simon Arlott schrieb:
> Aren't there are other bugs that should be fixed in a 4.70 release?
>
> http://bugs.exim.org/show_bug.cgi?id=894
> http://bugs.exim.org/show_bug.cgi?id=890 <-- this one is in DKIM
Fixed the latter.
> Also, where is the proof that the DKIM code is correct?
Try it! As with most code, it is a matter of trust. Constructing proof
in a mathematic sense would start at the underlying crypto
implementation. Would take ages to complete. Don't feel like it.
> Both DK and PDKIM are complex. There may be differences in
> implementations for some cases (both From and Sender present, etc.).
The code needs some real-world exposure. That's why we're doing this
exercise!
> When a signed email fails to validate, is it the fault of the sender
> or recipient's DKIM processing?
It is possible to find that out. I've done compat testing against the
public responders of other implementations, and it seems to work. Of
course, results can vary given different mail bodies, of which there are
inifinite.
> Invalid signatures and any verification bugs will cause problems
> for both sender and recipient that may go undetected.
That is why the implementation only logs an informative message for each
signature found. It is up to the user (admin) to construct a policy.
/tom
