Murray S. Kucherawy wrote:
I agree that it's an implementation issue. All of this is. But choosing
a single "output" formally makes that a no-no for the assessor, which
is a silly outcome. And it's but one silly outcome. What of the h= values?
How does an assessor know which ones were signed? That's a layering
violation according to -bis. Silly.
There's no proscription against providing those details if the
verifier wants to export them. The document is saying there
is "one" required output, not "only one" output; it's a minimum.
And I think it's pretty clear about that.
But its not clear on the other outputs appropriate for the receiver to
consider.
You can have a table:
status REQUIRED
SDID REQUIRED, MANDATORY for Trust Identity Assessor (see 2.7)
AUID OPTIONAL, see 3.11
ODID OPTIONAL for Checking Signing Process (see RFC5585)
I think what 3.9 should state these minimal DKIM related output
purpose is to get a Security and/or Trust Evaluation.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html