[mail-vet-discuss] Auth-Results issue #4 method=value values

Tony Hansen tony at att.com
Wed Apr 19 21:05:52 PDT 2006


Murray S. Kucherawy wrote:
> Tony Hansen wrote:
>>>> A related question is what value should be put in the headerspec for
>>>> failure situations? The identity has not been verified, so there's no
>>>> value to be put into the headerspec.
>>>
>>> Why would it change?  The method still based its evaluation on something
>>> (a header value, envelope data, "i=", or something else).
>>
>> Sometimes it's the lack of something that causes the failure, not the
>> presence of it. And the value part is supposed to include an extracted
>> value; what if there *is* no such value?
> 
> I think in the cases of some kind of fatal syntax failure of the method
> being applied, you simply wouldn't include an A-R header at all for that
> method.

I disagree. What if the policy for auth method X says that all
X-Sig-Fobs must include the (normally optional) Y-dohicky parameter, but
the X-Sig-Fobs did not. This is clearly a case where X was being
applied, it failed due to a policy decision, and the reason is that
something was missing. What value would go into the headerspec for such
a failure situation.

This gets back to the argument that the headerspec should be a
subordinate clause to the authentication mechanism information, and that
the value portion of the headerspec probably should be optional as well.

>> Consider a message that is missing a dkim-signature header where the
>> policy says that the header is required; what do you put into the value
>> part of the headerspec?
> 
> Actually, DKIM (last I checked) said you didn't look at the policy
> unless the signature failed to verify.  This would therefore be another
> case where I just reported no result of any kind.

DKIM-base doesn't say anything about policy.

This is one of the issues pending discussion until after dkim-base is
finished. :-)

	Tony Hansen
	tony at att.com


More information about the mail-vet-discuss mailing list