Douglas Otis wrote:
When the signature has elapsed beyond the an expiry period, the current
draft indicates the recipient MUST NOT consider the signature to be
valid. This would be independent of any sender policy. When the
message is within a reasonable time frame beyond the expiry time, this
could be due to two causes, replay or delay. With a high level of spam,
placing messages into a junk folder is likely worse than rejecting the
message. If this message was a delinquent delinquency notice, for
example, either full acceptance or rejection would make more sense.
The recipient may wish to consider how to handle delivery periods that
are perhaps too short to accommodate delays that may occur in the
recipient's system. The MUST in the draft may be a bit harsh.
The MUST in the draft refers to the validity of the signature, not the
validity of the message.
If you subscribe (as I do) to the philosophy that an invalid signature
should be treated as though it is absent, then the verifier MUST behave
as though the expired signature just isn't there. Maybe there is
another valid signature, or maybe not. If not, the message is handled
just like an unsigned one.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://dkim.org/ietf-list-rules.html