[ietf-dkim] Output summary
Murray S. Kucherawy
msk at cloudmark.com
Wed Apr 27 23:22:56 PDT 2011
> -----Original Message-----
> From: John R. Levine [mailto:johnl at iecc.com]
> Sent: Wednesday, April 27, 2011 3:33 PM
> To: Murray S. Kucherawy
> Cc: ietf-dkim at mipassoc.org
> Subject: Re: [ietf-dkim] Output summary
> I wouldn't be opposed to doing so, except that 4871 says in two separate
> places not to do that. Section 7 is, now that I look at it, really badly
> written, since it implies that a "verifier" is an SMTP server.
I can take a run at fixing Section 7. What's the other place that says not to do that?
> We probably have reasonably good agreement about what a verifier should
> a) If at least one signature verifies, report success with the d= value(s)
> of the valid signature(s) and optionally other stuff.
> b) If nothing verified and nothing tempfailed, report no signatures.
> c) If nothing verified and something tempfailed, return a hint to try
> again later.
> d) If at least one signature verified and at least one tempfailed, uh,
> flip a coin and either report success or a try again hint.
> Unfortunately, that's not really what the existing language says.
My preference would be to return a list of signatures that either passed or TEMPFAILed, which could be the empty set if all of them PERMFAILed or the message was unsigned, or none of them were acceptable in the first place for whatever policy reasons. The caller can decide whether it wants to try the whole shebang again later, or continue with what it got. It's simple and complete.
Can folks live with that?
More information about the ietf-dkim