Do we need to say anything about the possibility that there are multiple
signatures?
How about "For each signature not ignored by the verifier" or such.
Section 5.3 says:
Verifiers SHOULD ignore failed signatures as though they were not
present in the message.
and Section 7 says:
In the following description, text reading "return status
(explanation)" (where "status" is one of "PERMFAIL" or "TEMPFAIL")
means that the verifier MUST immediately cease processing that
signature. The verifier SHOULD proceed to the next signature, if any
is present, and completely ignore the bad signature. If the status
is "PERMFAIL", the signature failed and should not be reconsidered.
If the status is "TEMPFAIL", the signature could not be verified at
this time but may be tried again later. A verifier MAY either defer
the message for later processing, perhaps by queueing it locally or
issuing a 451/4.7.5 SMTP reply, or try another signature; if no good
signature is found and any of the signatures resulted in a TEMPFAIL
status, the verifier MAY save the message for later processing. The
"(explanation)" is not normative text; it is provided solely for
clarification.
If you believe that, the output should only include signatures that
verified, right? So you aren't suppsed to report TEMPFAIL or PERMFAIL.
Except that if it TEMPFAILed, the output can optionally include a queued
copy of the message and part of a of SMTP transaction.
I fear the worms are escaping. Maybe it should say that the output
includes the signatures that validated. If nothing validated, it might
include a hint that the caller might get a better answer later. And we
should fix Section 7, since you can't even assume that the validator is
running anywhere near an SMTP session.
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html