On Wed, Feb 15, 2006 at 06:21:36PM -0800, Eric Allman allegedly wrote:
bad signatures. The order in which signatures are tried is a
matter of local policy for the verifier and is not defined
here.
Modulo possible upgrade/downgrade guidance given in other parts of the
(future) spec.
A verifier MAY treat a message that has one or more
bad signatures and no good signatures differently from a
message with no signature at all; again, this is local policy
and is beyond the scope of this document.
I would almost want such text not to be in the spec, but making it
clear that any assessment of invalid signatures is strictly
out-of-scope and entirely a local policy is a good thing.
Jim and Mike I think have push this button the most - and I agree
completely - that ascribing meaning to an invalid signature is tenuous
at best and certainly not something we want to codify.
Over 80% of SMTP transactions are not SMTP compliant
(intentionally). Is DKIM the exception to this high probability?
Dream on, although I'm surprised the number is so high --- perhaps if
you include spam engines. But here is where I think we have a
disagreement; I am concerned, at least in the short run, about
signatures that get trashed for innocuous reasons, such as mailing
list exploders. I don't think such messages should be rejected.
This is, of course, local policy.
Right. If anything I would want to go further and advise against
implementing local policy in this space. The point about SMTP
non-compliance reinforces that point as most of this non-conformance
is likely due to ignorance, hubris and bugs rather than malicious
intent.
Mark.
_______________________________________________
NOTE WELL: This list operates according to
http://dkim.org/ietf-list-rules.html