Murray S. Kucherawy wrote:
I'm not clear on the objection here. In particular, it seems to me Barry's
proposed language lines up nicely with what you said starting "but rather".
My point is that it's already possible for the same selector record to
be used for both DK and DKIM. Just leave the "g=;" out of the key
record. It's not necessary for DK in any case.
As for the statement that the result would be undefined, I'm also unclear.
Are you saying two different implementers might do two different things
because of that MAY? If that's the case, then I think we're in some trouble
because (for example) there's a MAY in the definition of "x=" that permits
two results if the signature has expired.
I have never been clear on the value of x= (especially since it says
it's not intended as an anti-replay defense), but you are correct that
the spec is ambiguous as to whether a signature with an expired x= is
valid or not. I would lean in the direction of correcting that
ambiguity, rather than creating a new one.
As everyone is probably tired of hearing me say, I'm all for looking for
reasons to call a signature valid rather than invalid. But there gets
to be a point where it's really easy for the signer to fix the problem,
and they haven't bothered to. I don't have a lot of sympathy for
signers who aren't willing to do even a tiny bit of diligence to make
sure that their signatures are valid. I don't think we should change
the spec to accommodate them.
NOTE WELL: This list operates according to