On Thu, Jun 1, 2017 at 5:32 AM, Murray S. Kucherawy <[email protected]> wrote:
> > If a verifier decides an ARC is invalid, it's supposed to set > "cv=invalid", when generating its own ARC-Seal. This seems odd; we're > cryptographically signing a chain that is known to be broken, meaning the > next handler might not even be able to get as far as consuming the "cv=" > value we're putting there because the chain can't be validated in the first > place. > Since looking at the ARC-Seal is the very first step in evaluating the chain, I'm not sure why a handler would have a problem unless the ARC-Seal is subsequently mangled beyond recognition (a situation which is covered elsewhere). Signing the chain documents its state at the time of processing and the AAR that is covered by the AS tells the next recipient where that broken chain came from. --Kurt
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
