Since we are drafting a requirement here we do not need to give the explanation
in the detail given on the list.
The signing policy statement MUST be capable of fully describing a signing
practice in which multiple signatures are always provided such that the policy
is of utility to any verifier is capable of verifying any of the signatures
that are always provided.
Such a mechanism MUST NOT
* Require the verifier to perform any additional DNS lookups.
* Require duplication of configuration data
* In particular not require the policy record to provide for the
description of any cryptographic or cannonicalization algorithm
Rationale: The ability to specify multiple signatures is necessary in order to
permit orderly transitions to new cryptographic and canonicalization
algorithms. Unless the policy language is not sufficiently expressive to allow
the signer to describe the actual signature practice in this case there is an
opportunity for an attacker to exploit the fact that there are verifiers that
do not yet support the new algorithm.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html