On Wed, Jul 16, 2025, at 02:47, Richard Clayton wrote: > If there is more than one signature then a verifier MUST check both of > them and __both__ must be valid.
I think what we want is: 1. The verifier MUST support at least one of the signature algorithms. 2. The verifier MUST check all the algorithms it supports. 3. The signature MUST be valid for all signatures. So we can add new mechanisms which some verifiers don't support, and it's fine to not support an algorithm but you have to support at least one that's used or we have problems. This doesn't solve deprecation and when to stopping sending the original algorithms, but that problem is a whole coordination issue that has been dealt with in other protocols and we'd follow guidance from the SEC area here. Bron. -- Bron Gondwana, CEO, Fastmail Pty Ltd / Fastmail US LLC [email protected]
_______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
