Charles Lindsey wrote:
On Thu, 28 Apr 2011 18:52:19 +0100, John R. Levine
<johnl(_at_)iecc(_dot_)com> wrote:
Last paragraph of sec 5.2: " Verifiers SHOULD ignore failed signatures as
though they were not present in the message."
Actually, that does not seem quite right. It is assessors who should do
that. Verifiers are explicitly asked to report "PERMFAIL" in that case,
which is not quite the same thing as "ignoring".
+1.
The sentence/paragraph should probably be reworded:
CURRENT:
Verifiers SHOULD ignore failed signatures as though they were not
present in the message. Verifiers SHOULD continue to check
signatures until a signature successfully verifies to the
satisfaction of the verifier. To limit potential denial-of-service
attacks, verifiers MAY limit the total number of signatures they will
attempt to verify.
PROPOSED CHANGED:
Verifiers SHOULD continue to check signatures until a signature
successfully verifies to the satisfaction of the verifier.
While Verifiers MAY report invalid signatures using methods
described in section 7.2, verifiers MUST never evaluate invalid
signatures for trust-based SDID identity assessment.
If no valid signature is found, the message is considered to be
unsigned by DKIM standards.
To limit potential denial-of-service attacks, verifiers MAY
limit the total number of signatures they will attempt to verify.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html