[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Jim Fenton
Sent: Wednesday, October 13, 2010 10:14 AM
Subject: Re: [ietf-dkim] ISSUE: 4871bis-02 - Section 8.14 comments
My inclination is that the spec should say something like:
- The verifier SHOULD consider the signature invalid if a signed header
field occurs an inappropriate number of times in the message header
according to section 3.6 of RFC 5322.
- The verifier MAY consider the signature invalid if it detects other
message syntax violations of RFC 5322.
Does it make sense to be weaker about other things we haven't anticipated yet
that might actually be worse?
5.3 covers everything by requiring general compliance; 8.14 points out the
specific header-centric issue. Since the normative part of 5.3 says SHOULD, I
think this covers it nicely.
The last provision worries me a bit because it opens the door to other
specifications that define header fields. On the other hand, I can
picture an attack involving insertion of a bogus List-Id header field in
order to influence the handling of the message.
I agree; I'd rather leave it at the above two.
NOTE WELL: This list operates according to