[As an individual contributor]
I assume that the "deprecated keys" are stored in the DNS. If so,
the algorithm is an attribute of the key stored in the DNS.
The "Other Algorithms" section seems like an odd place in the
document to talk about the mechanism for deprecating keys.
If the DNS contains two keys and one is deprecated and the other is
not, then the verifier should only make use of the non-deprecated
key, regardless of the algorithm associated with each of the keys.
Russ
At 09:29 PM 5/24/2006, Douglas Otis wrote:
,---
|3.3.3 Other algorithms
|
| Other algorithms MAY be defined in the future. Verifiers MUST ignore
| any signatures using algorithms that they do not understand.
'___
Change to:
: Other algorithms MAY be defined in the future. Unless there is a
: signature from a signing domain marked as "deprecated", verifiers
: MUST ignore signatures indicating unimplemented algorithms.
:
:
: Signatures referencing "deprecated" keys must be considered invalid
: without the presence of signature from the same signing domain
: referencing a key not marked as "deprecated", also supporting the
: indicated algorithm. Verifiers MUST also ignore signatures
: referencing "deprecated" keys when a different signature from the
: signing domain is found offering an implemented algorithm referencing
: a key not marked as "deprecated."
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html