ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Output summary

2011-04-28 04:52:48


-----Original Message-----
From: Dave CROCKER [mailto:dhc(_at_)dcrocker(_dot_)net]
Sent: Thursday, April 28, 2011 12:11 AM
To: MH Michael Hammer (5304)
Cc: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] Output summary



On 4/27/2011 8:56 PM, MH Michael Hammer (5304) wrote:
a) If at least one signature verifies, report success with the d=
value(s)
of the valid signature(s) and optionally other stuff.

I'm not comfortable with this statement. If I have two signatures,
one from
the domain in the From and one from a random 3rd party and the From
domain
signature fails and the 3rd party passes then we declare success
with
the 3rd
party d=signature? To me that dog won't hunt.

Mike, I believe you are continuing to different parts of the
architecture.

The DKIM verifier does not know anything about the "type" of the
signature, such
as whether it is first party or third.  An architectural function that
is
outside of DKIM signing makes those sorts of higher-level, integrative
analyses.

The current discussion is only about signature validation and how to
report them.


I understand that Dave. My point is that if we follow the logic that
John laid out and we end up with outcomes that leave one scratching
their head, there is a potential issue. We have been round and round the
block on the 1st party vs 3rd party issue but this specific point is in
the context of multiple signatures on a single message rather than the
general discussion of evaluating a message with a single signature.

To make this more direct:  For DKIM signing, there is no such concept
of "From
domain signature".


The issue for payload at the level of DKIM Signing, the issue needs to
be kept
quite simple:  Report signatures that validate and I guess also report
signatures that get a temporary failure.

No other formal payload comes out of the DKIM Signing spec, no matter
what other
sorts of cleverness a particular implementer might provide.  The
cleverness is
fine, but it goes beyond the spec.


That's what I said. Report the domain and the outcome for each signature
and leave something else to sort things out. Don't try and do it within
DKIM itself. The decision choices by that something else could be based
on reputation or authoritative assertion, or a combination of the two. I
was simply responding to the choices within DKIM that John was laying
out.

Mike

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>