On Mar 1, 2007, at 3:07 PM, Arvel Hathcock wrote:
The folks supporting to list used algorithms in the SSP apparently
think that receivers could care about this nuance.
In my view, they won't care. They can't care. In fact, they *dare
not* care. Knowing that a signature "might have verified if only I
knew how to do so" is worthless from a practical perspective.
1) When a signer offers multiple signatures, the verifier should
select their preferred signature.
2) When a signer indicates that an algorithm within the a signature
has been deprecated, then the verifier should expect the specified
signature to be available.
3) When the specified alternative signature does not exist, the
deprecated signature should be considered invalid.
Verifiers desiring the strongest protection should be able to detect
when an optional signature has been removed. This protection ensures
a graceful transition regardless of the severity of the possible
threat. Ensuring a graceful transition is a practical
consideration. Dare to care.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
