Charles Lindsey wrote:
> On Thu, 28 Apr 2011 18:52:19 +0100, John R. Levine <jo...@iecc.com> wrote:
>
>> Last paragraph of sec 5.2: " Verifiers SHOULD ignore failed signatures as
>> though they were not present in the message."
>
> Actually, that does not seem quite right. It is assessors who should do
> that. Verifiers are explicitly asked to report "PERMFAIL" in that case,
> which is not quite the same thing as "ignoring".
+1.
The sentence/paragraph should probably be reworded:
CURRENT:
Verifiers SHOULD ignore failed signatures as though they were not
present in the message. Verifiers SHOULD continue to check
signatures until a signature successfully verifies to the
satisfaction of the verifier. To limit potential denial-of-service
attacks, verifiers MAY limit the total number of signatures they will
attempt to verify.
PROPOSED CHANGED:
Verifiers SHOULD continue to check signatures until a signature
successfully verifies to the satisfaction of the verifier.
While Verifiers MAY report invalid signatures using methods
described in section 7.2, verifiers MUST never evaluate invalid
signatures for trust-based SDID identity assessment.
If no valid signature is found, the message is considered to be
unsigned by DKIM standards.
To limit potential denial-of-service attacks, verifiers MAY
limit the total number of signatures they will attempt to verify.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
