On Tue, 2005-10-18 at 00:39 +0000, Mark Delany wrote:
On Mon, Oct 17, 2005 at 05:09:01PM -0500, Earl Hood allegedly wrote:
[ re body hashes ]
It also provides benefits in diagnostics, logging, auditing, and
dealing with multiple signatures.
On the matter of diagnostics, while a binary indicator saying the
cause of a failure is the header vs the content is mildly useful, I
think the whole role of diagnostic mechanisms needs to much more
comprehensive than this to be useful. It's one of the areas that we
started focusing on heavily in DK - what additional diagnostic
material can be supplied to help automate and categorize verification
failures?
I would hazard that comprehensive, automated diagnostics should be
available before finalizing canonicalization.
Much more can be done in the area of diagnostics. Capturing the body
hash would be useful and not add substantially to the overall overhead.
As Earl points out, it also allows the disposition of the signature to
be determined ahead of the data phase completing. This may allow
earlier execution of other checks, such as reputation checks on the IP
address, when the signature is found bad. Invalid hash should not
provide some acceptance value, and at some point the message may be
dropped as a result.
It might be handy to define a header diagnostic which lists header
checksums to also isolate which header is being damaged. I could draw
up some ideas.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org