On Mon, Jun 19, 2017 at 3:51 PM, Gene Shuman <[email protected]> wrote:
> Starting a new thread, as this is probably *the* major blocker wrt
> OpenARC. . .
>
Taking your two questions in reversed order:
. . .what *precisely* constitutes an invalid chain vs a failing one? I had
> previously been working on the assumption that invalid was a property
> strictly relate to the i= tag & the chain itself. ie. duplicate i= tags,
> missing i= tags, missing AMS, AS, AAR headers, etc.
This is what we intended when writing the spec and with some of the initial
implementations. "invalid" is a description of a chain which does not have
all of the right pieces ("structural integrity" is the term used in
5.1.1.5). "fail" is what happens when something else is broken (can't or
doesn't validate - no "s" tag for instance).
> with an invalid/mangled chain, how are we suposed to compute a b= value
> for the ARC-Seal?
>
Thinking back to the conversations when the spec was being initially
developed, I don't know that we touched on this specific scenario, but I
think that the most consistent approach with the rest of the spec would be
to have the spec call out a specific "implicit h=" handling for this
situation. I'd suggest the following approach for creating an ARC set in an
invalid situation: set i = one more than the highest i value found in the
(mangled) ARC fragments or 51 (based on the "Maximum 'i' Tag Value). Use
only the ARC headers for this set in the implicit 'h' since those will be
entirely under the control of the signing system. For the AMS, nothing
special should be required.
How does that sound?
--Kurt
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
