For a scenario where a caller is calling a DKIM milter which in turn calls an
API, this is all true. But DKIM will be/is deployed in many more scenarios.
Indeed, but you're misunderstanding the point of a standard. The DKIM
spec tells signers how to create a signature that recipients can verify,
and it tells verifiers how to check whether a signature is valid. The
spec is not an implementation guide for every possible implementation
scenario.
We're allowed to assume that the spec will be implemented by reasonably
competent programmers. I think reasonably competent includes figuring how
to maintain or communicate the external state needed to do what you want
to do.
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html