william(at)elan.net wrote:
On Fri, 28 Apr 2006, Eric Allman wrote:
The z= tag is only supposed to be used for "diagnostic purposes", not
for computing the hash. Changing that would have major implications
that we would have to examine very carefully.
So if mail list changed Subject header field (and for purposes of this
question did not add other fields or changed content data) and there was
a signature in message before that contained original Subject in the 'z'
tag AND now message got to verifying agent - that agent is supposed
to say the signature is invalid rather then use data from 'z' tag to
attempt to verify the signature?
Yes, but let me explain. As far as the spec is concerned, there is a
single way
to verify a signature, and that does not involve anything with z=. We
need this
to be true lest we infinitely devolve into arguments about what
heuristics are
good, evil, etc. The current spec is algorithmic, and that's a Good Thing.
That said, dkim-base does not specify any output other than the internal
state
of the verifier after the operation is complete, and this can be used
for whatever
purpose the verifier thinks is useful. Nor does -dkim-base say that you
must not
try to figure out what went wrong; this is the receiver's perogative,
and we aren't
the net.police. If you were to try to do that and make a different
decision in your
receiver based upon that, that's your perogative, but it's completely
outside the
scope of the -dkim-base document. In other words, your on your own.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html