At 5:20 PM +0100 4/4/06, Stephen Farrell wrote:
A question about the semantics bit.
What do we need to say about what a verifier MUST, SHOULD
or MAY do/NOT do, if sig1 has "h=foo+bar" but sig2 has "h=bar"
(or whatever other variant you prefer)?
My preference would be to say nothing. This is a recipient policy issue.
However, I suspect that some verifiers will tell someone
about what "h=" was when they see a single signature, in
which case should we say that such verifiers SHOULD present
info about all sigs or something. If a verifier reports
partial or confusing information there, then trouble may
well ensue. OTOH, this is close to designing an API, and
that's not generally IETF business.
NOTE WELL: This list operates according to