From: Michael Thomas [mailto:mike(_at_)mtcc(_dot_)com]
Hallam-Baker, Phillip wrote:
I don't understand what this would achieve. The syntax is
extensible right now, so why specify something that doesn't
have semantics?
The semantics are already defined in the X.509v3 and PKIX
specifications.
I'm sorry, but the semantics of what a DKIM receiver would
do with it are not. I have no clue as to what it would mean.
Since we have not specified ANY semantics of that type the test is
irrelevant.
The closest we get is to state that mail with signatures that fail
should be treated the same as unsigned mail. Nowhere do we state what to
do with a mail if the signature verifies.
If your question is 'how do I code this' it really depends on the
application. If you don't see the value of accreditation data you are
under no obligation to code for it.
The way I would do it is to make the decision proceedure a separate
(pluggable) module. I would use a code architecture similar to that of
IIS or Apache and make it so that the plug in can see all of the
attributes of the key record as attribute/value pairs.
I would also code the system to cache the accreditation data to avoid
the need for repeated re-evaluation.