[mail-vet-discuss] Degrading DKIM "fail" to "neutral" (was Re: Last Call: ...)

[Michael Thomas]

Murray S. Kucherawy wrote:
> Jim Fenton wrote:
>> RFC 4871 sec. 6.1 says, "Verifiers SHOULD ignore any DKIM-Signature
>> header fields where the signature does not validate."  My concern is
>> that if the verifier reports "fail", it's not really ignoring the broken
>> signature.
>>   

Jim,

This is a _reporting_ mechanism, not an adjunct of DKIM itself. It's
entirely appropriate for the reporting mechanism to reveal internal
states of the DKIM verifier so that it can do useful things with it.
Like, oh say, generate pretty log reports about the percentage of
signatures that broke, etc, etc. Knowing something about the
internal verifier state does NOT break the admonition in 6.1;
that's just a simple fact that's being relayed.

> 
> DKIM-6.1's normative SHOULD leaves room to maneuver within an ADMD which 
> does have some reason to deviate from that language and thus wishes to 
> make a distinction between a failed signature and an unsigned message.  
> If a verifier implementing this proposal decides to report a DKIM "fail" 
> as "neutral", that distinction is no longer possible in such environments.
> 
> A general question: Is it appropriate for this draft to assist directly 
> in the enforcement of a normative SHOULD from other drafts?

I agree with Dave. 6.1 is about the equivalent nature of 
broken/missing/etc signatures. This says nothing about treating them
distinctly for forensic reasons. That's what authres is conveying.
It's up to the consumer of authres to enforce 6.1 as appropriate.

		Mike