On Dec 2, 2008, at 8:51 AM, Lisa Dusseault wrote:
On Mon, Dec 1, 2008 at 11:33 PM, Murray S. Kucherawy
<msk(_at_)sendmail(_dot_)com> wrote:
Current wisdom among [DKIM] verifier implementations is to avoid
taking final filtering actions such as rejecting messages based on
a "fail" result, as there are plenty of legitimate reasons a signed
message might fail to verify. Instead, such messages should
generally be treated as though they were not signed at all. Thus,
a verifier MAY elect to report "neutral" in place of "fail" to
discourage needlessly harsh reactions from downstream agents.
This seems like a bad idea to me; verifiers can always say whatever
they like but encouraging them to report less accurate information
seems like a poor choice for the long term compared to just
reporting the most accurate status. Why would we recommend
verifiers "lie" instead of recommending downstream agents to
consider accepting failed signatures?
Lisa,
In this case, Neutral would be a valid state since it also means that
the signature causing this header entry was not valid. Other out-of-
band schemes might impose a fail status, such as ADSP. Unfortunately,
ADSP currently requires senders to lie or remain silent about the "on-
behalf-of" value. Removing "fail" entirely from the list of choices
seems more appropriate.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html