On Wed, Jan 3, 2018 at 11:20 PM, Bron Gondwana <[email protected]> wrote:
> I assume this was the one that you wanted my clarification on? > Yes, thanks > But let's rewrite it as oldest-pass, because that's clearer. Your case: > > * ARC 1: cv=none, ams.oldest-pass=0 > * ARC 2: cv=pass, ams.oldest-pass=1 > * ARC 3: cv=pass, ams.oldest-pass=2 > * ARC 4: cv=pass, ams.oldest-pass=3 > * final recipient ADMD ARC verifier would find cv=pass and evaluate > ams.oldest-pass as 4. > > And my case where 2 and 3 didn't change anything: > > * ARC 1: cv=none, ams.oldest-pass=0 > * ARC 2: cv=pass, ams.oldest-pass=1 > * ARC 3: cv=pass, ams.oldest-pass=1 > * ARC 4: cv=pass, ams.oldest-pass=1 > * final recipient ADMD ARC verifier would find cv=pass and evaluate > ams.oldest-pass as 4. > > From which the final recipient can also see that, if they trust ARC 4 not > to lie, neither ARC 2 or ARC 3 changed anything which was covered by ARC > 1's AMS. > > There is no need to trust either ARC 2 or ARC 3's signatures in my > example, which is the point here. Even if ARC 2 or ARC 3 are not yet known > or trusted, you can tell that they didn't modify this particular message. > Very helpful - thanks. I think that expressing it in the positive "oldest-pass" form makes the point much clearer. Unless there is an outcry from the rest of the group, I'd like to change to this terminology. --Kurt
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
