On Jul 27, 2006, at 10:20 AM, Stephen Farrell wrote:
Douglas Otis wrote:
On Jul 27, 2006, at 2:09 AM, Mark Delany wrote:
So it could be an alias entry in SSP then. One is called "I sign
all" and the other is called "I don't send". They both set the
same bit.
There is a slight difference between these two scenarios. This
difference between "All Signed" and "Don't Send" becomes
significant when deciding what to do with an invalid signature.
Presumably only if the domain published some key for some selector
though which I guess you'd only do if you actually do sign
something (or have crazy s/w that creates keys without saying so:-).
Not finding a key represents a PERMFAIL (no key for signature). Both
no key and PERMFAIL are due to several causes, where the Base draft
does not indicate that there be special handling resolving even
PERMFAIL.
DKIM Base:
,---
|6.1 Extract Signatures from the Message
|...
| In the following description, text reading "return status
| (explanation)" (where "status" is one of "PERMFAIL" or "TEMPFAIL")
| means that the verifier MUST immediately cease processing that
| signature. The verifier SHOULD proceed to the next signature, if any
| is present, and completely ignore the bad signature.
'___
This statement clearly places invalid signatures into one pile, key
or no key. If there is a desire to special case specific conditions
leading to PERMFAIL, then policy seems a good place to make this
resolution explicit.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html