Murray S. Kucherawy wrote:
Jim Fenton wrote:
RFC 4871 sec. 6.1 says, "Verifiers SHOULD ignore any DKIM-Signature
header fields where the signature does not validate." My concern is
that if the verifier reports "fail", it's not really ignoring the broken
signature.
Jim,
This is a _reporting_ mechanism, not an adjunct of DKIM itself. It's
entirely appropriate for the reporting mechanism to reveal internal
states of the DKIM verifier so that it can do useful things with it.
Like, oh say, generate pretty log reports about the percentage of
signatures that broke, etc, etc. Knowing something about the
internal verifier state does NOT break the admonition in 6.1;
that's just a simple fact that's being relayed.
DKIM-6.1's normative SHOULD leaves room to maneuver within an ADMD which
does have some reason to deviate from that language and thus wishes to
make a distinction between a failed signature and an unsigned message.
If a verifier implementing this proposal decides to report a DKIM "fail"
as "neutral", that distinction is no longer possible in such environments.
A general question: Is it appropriate for this draft to assist directly
in the enforcement of a normative SHOULD from other drafts?
I agree with Dave. 6.1 is about the equivalent nature of
broken/missing/etc signatures. This says nothing about treating them
distinctly for forensic reasons. That's what authres is conveying.
It's up to the consumer of authres to enforce 6.1 as appropriate.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html