On Sat, 07 May 2011 13:50:41 +0100, Alessandro Vesely
<vesely(_at_)tana(_dot_)it>
wrote:
On 06/May/11 20:37, Murray S. Kucherawy wrote:
Verifiers SHOULD ignore those signatures that produce a PERMFAIL
result (see Section 7.1), acting as though they were not present
in the message. ...
s/Verifiers SHOULD ignore/Identity assessors SHOULD ignore/
(and probably in other places too). Verifiers are explicitly
instructed
to return PERMFAIL/TEMPFAIL), and "returning" something is evidently
inconsistent with "ignoring" it.
+1
Since this is already somewhat mushy, might I suggest:
Verifiers MAY decline to report, and identity assessors SHOULD ignore,
...
I wouldn't delve into what identity assessors should do, since that is
outside the scope of the DKIM Signing specification. The wording in
section 3.9 already conveys that "ignoring" is being used as a synonym
for "returning PERMFAIL". I'd make such meaning more explicit rather
than introducing yet a new phrase to allude to the same behavior.
Yes, the wording certainly needs clarifying.
Essentially, a Verifier is a module within a server that is called upon to
express an opinion regarding the vailidity of the signature(s) in some
message.
As such, it is bound to return SOME result (otherwise the server is just
going to hang). So phrases like "ignore" have no place within it (unles
INGNORED is a specific permitted response).
Oddly, the present document does not provide a return option PASS (maybe
that is implicit, but its absence may be the cause of the confusion). It
does provide PERMFAIL and TEMPFAIL. It also REQUIRES that the 'd=' tag be
returned (is that only in the PASS case?), and other tags etc. MAY be
returned (such as the things Hector wants included). But since the message
itself is still available for inspection, these other returns might be
regarded as redundant (so long as the particular signature being reported
on is identifiable when there are several).
If there s no signature at all, does that mean the verifier is never
called? For sure, if it is called and there is no signature, PERMFAIL is
to be returned.
But, one way or another, the wording needs cleaning up, and maybe
explicitly replacing "ignore" by PERMFAIL is enough.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html