> I think what we want is: > > The verifier MUST support at least one of the signature algorithms. > The verifier MUST check all the algorithms it supports. > The signature MUST be valid for all signatures.
I think this is closer to right, but... > The verifier MUST check all the algorithms it supports. Why? Perhaps I want to retain support for algorithm Q in case I get messages with it, but I'm really done with it and prefer algorithm T. What I want to do is only check Q if that's the best I have. And perhaps a sender is sending Q to support verifiers that haven't added support for T yet, but they are also sending T. What value is there either to me or the sender to tell me I MUST check the Q sig? How does it harm anything if I just check the one with T? What's wrong with something like this: The verifier MUST support at least one of the signature algorithms. The verifier SHOULD check all the algorithms it supports. The signature MUST be valid for all signatures that are checked. ...and we add an explanation for the SHOULD. Barry _______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
