On Wed, May 31, 2017 at 3:08 PM, Brandon Long <[email protected]> wrote:
> On Wed, May 31, 2017 at 1:42 PM, Murray S. Kucherawy <[email protected]> > wrote: > >> On Wed, May 31, 2017 at 1:35 PM, Murray S. Kucherawy <[email protected] >> > wrote: >> >>> What benefit is there to covering AAR with both the AMS and the AS? It >>> seems to me the AMS is much cleaner (in the sense of ARC being a layer atop >>> DKIM) if it is purely a renamed DKIM signature with an instance number. >>> >>> Put another way, the apparent intent here is to require that things be >>> generated in a specific order (AAR, then AMS, then AS) but it seems to me >>> there's no obvious benefit to imposing that constraint given that AS is >>> supposed to cover everything anyway. >>> >> > Ignoring your DKIM bit, I can also see how this could be extended to think > about the oddness that having two signatures and whether the keys need to > match between AS/AMS. > > One could imagine that the AMS was just a hash, and it would be a single > signature in the AS which covers it. That's obviously more different than > DKIM, but reduces the size of the headers and makes a single point of > ownership. > Indeed, AS could sign (a) a locally-generated DKIM signature, with an instance tag (since DKIM validators ignore tags they don't know), plus (b) the current and all previous AAR/AS fields. -MSK
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
