-----Original Message-----
From: John R. Levine [mailto:johnl(_at_)iecc(_dot_)com]
Sent: Wednesday, April 27, 2011 3:33 PM
To: Murray S. Kucherawy
Cc: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] Output summary
I wouldn't be opposed to doing so, except that 4871 says in two separate
places not to do that. Section 7 is, now that I look at it, really badly
written, since it implies that a "verifier" is an SMTP server.
I can take a run at fixing Section 7. What's the other place that says not to
do that?
We probably have reasonably good agreement about what a verifier should
do:
a) If at least one signature verifies, report success with the d= value(s)
of the valid signature(s) and optionally other stuff.
b) If nothing verified and nothing tempfailed, report no signatures.
c) If nothing verified and something tempfailed, return a hint to try
again later.
d) If at least one signature verified and at least one tempfailed, uh,
flip a coin and either report success or a try again hint.
Unfortunately, that's not really what the existing language says.
My preference would be to return a list of signatures that either passed or
TEMPFAILed, which could be the empty set if all of them PERMFAILed or the
message was unsigned, or none of them were acceptable in the first place for
whatever policy reasons. The caller can decide whether it wants to try the
whole shebang again later, or continue with what it got. It's simple and
complete.
Can folks live with that?
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html