Paul Hoffman wrote:
At 5:20 PM +0100 4/4/06, Stephen Farrell wrote:
A question about the semantics bit.
What do we need to say about what a verifier MUST, SHOULD
or MAY do/NOT do, if sig1 has "h=foo+bar" but sig2 has "h=bar"
(or whatever other variant you prefer)?
My preference would be to say nothing. This is a recipient policy issue.
Fair enough. Mine would just slightly be to point that out, e.g.
by saying that its a recipient policy issue.
If folks disagree saying so would be good.
However, I suspect that some verifiers will tell someone
about what "h=" was when they see a single signature, in
which case should we say that such verifiers SHOULD present
info about all sigs or something. If a verifier reports
partial or confusing information there, then trouble may
well ensue. OTOH, this is close to designing an API, and
that's not generally IETF business.
(You must be short of words today:-)
Are you agreeing with the first or last sentence there?
NOTE WELL: This list operates according to