[ietf-dkim] Issue: Requirements #9 NOT REQUIRED for 1st party valid signatures.

Hector Santos hsantos at santronics.com
Fri Aug 11 02:29:42 PDT 2006 

----- Original Message -----
From: "Stephen Farrell" <stephen.farrell at cs.tcd.ie>
To: "Hector Santos" <hsantos at santronics.com>

> Those are not in conflict. As I read it the requirement states that
> an SSP lookup MUST NOT be REQUIRED (== is OPTIONAL) when a valid
> first party signature is present.
>
> I guess rephrasing it as follows might make you happier:
>
>  The Protocol MAY be invoked when a valid first party signature
>  is present.
>
>   [INFORMATIVE NOTE: The expectation is that most implementations
>    will not (always) invoke the protocol in this case.]
>
> IMO those are equivalent, so I don't mind which gets used. Maybe
> others prefer one over the other or don't agree about equivalence?
>

I read it as optional too, and that's how will use it for our design too
(SSP first)

[Quick Response]

Maybe we have two requirements here:

     The PROTOCOL MAY BE invoked prior to verification as
     a pre-requisite for requirement 2, 3, 4 and 7.

     The PROTOCOL IS NOT required to be invoked when a 1st party
     signature is detected.

My suggestion is to remove it and allowed the designers to decide how they
want to do it or maybe split it because I think its two different things.

[Optional Detail Response}

As it stands now, to me, it doesn't sound like it fits when you compare it
against the following requirements:

   2. The Protocol MUST be able to publish a Practice that
      the domain doesn't send mail.

   3. The Protocol MUST be able to publish a Practice that the
      domain's signing behavior is "DKIM Signing Complete"

   4. The Protocol MUST be able to publish an Expectation that a
      verifiable First Party DKIM Signature should be expected on
      receipt of a message.

   7. If the Discovery process would be shortened by publication of a
      "null" practice, the protocol SHOULD provide a mechanism to
      publish such a practice.

If you have no signature, then there is nothing to verify.

This seems to all say that maybe we need a nemesis of "DKIM Signing
Complete"  called "DKIM Verifier Complete"  <g>

So it seems to me that you have 4 out of 10 requirements, that conflicts
with the "MUST NOT be required to be invoked" requirement because in order
to satisfy 4 of them, you need to do a lookup to handle the cases where
there is no signature in the message.

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com

More information about the ietf-dkim mailing list