Sure, with dkim. With arc, it's a bit more complicated, we need to
understand exactly how to sign the chain if there are multiple AMS and AS
headers. We probably want text about what happens if only one verifies as
well, and whether a hop should continue signing both paths or just one.
All quite reasonable.
Only one verifies: that's fine, the other is likely an algorithm you don't
handle (yet). This is inherited from DKIM, a broken signature is the same
as no signature and doesn't imply anything bad.
What to sign: just one. It occurs to me that this is kind of fragile,
since if you just sign one, it has to be the one that is farther down.
I'm wondering if we should suggest that if there are two signatures for
the same thing, discard the one you didn't use.
Regards,
John Levine, [email protected], Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
