On Sun, 10 May 2009, Dave CROCKER wrote:
For example, saying MAY on l= could mean that a signer might choose to
implementer and a validator might not. Hence, no interoperability.
In the case of "z=", for example, a verifier electing not to implement
would simply ignore the tag.
If the use of a tag by a signer, with non-support by the verifier, will
prevent interoperability, then I think it can't be optional.
I've long had a policy that goes past what RFC4871 says. Our software
implements in two layers: basic DKIM (libdkim) and then a filter that uses
that interface (dkim-filter) to conduct verification and then implement
local policy.
Aware of the security risks of "l=" (which are well documented), upon
receiving a signature that used "l=", libdkim might tell the filter the
signature validated, but the filter can also ask the library how much of
the message was signed (i.e. get the value of "i=") and compare this to
the total message size; if there was too much additional data, the filter
is able to consider the signature invalid anyway as a matter of local
policy.
Given this, I'd say we should list "l=" as a MAY, and advise signers that
a verifier might not care that you said "l=", be that simply because "l="
wasn't implemented at the verifier, or perhaps it was implemented but the
verifier had a strict policy on its use and your message violated it.
Thus, we've defined it, but we don't promise it will be universally
useful.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html