On Wed, Jan 3, 2018 at 6:28 PM, Kurt Andersen (b) <[email protected]> wrote:
> On Wed, Jan 3, 2018 at 11:20 PM, Bron Gondwana <[email protected]> > wrote: > >> I assume this was the one that you wanted my clarification on? >> > > Yes, thanks > > >> But let's rewrite it as oldest-pass, because that's clearer. Your case: >> >> * ARC 1: cv=none, ams.oldest-pass=0 >> * ARC 2: cv=pass, ams.oldest-pass=1 >> * ARC 3: cv=pass, ams.oldest-pass=2 >> * ARC 4: cv=pass, ams.oldest-pass=3 >> * final recipient ADMD ARC verifier would find cv=pass and evaluate >> ams.oldest-pass as 4. >> >> And my case where 2 and 3 didn't change anything: >> >> * ARC 1: cv=none, ams.oldest-pass=0 >> * ARC 2: cv=pass, ams.oldest-pass=1 >> * ARC 3: cv=pass, ams.oldest-pass=1 >> * ARC 4: cv=pass, ams.oldest-pass=1 >> * final recipient ADMD ARC verifier would find cv=pass and evaluate >> ams.oldest-pass as 4. >> >> From which the final recipient can also see that, if they trust ARC 4 not >> to lie, neither ARC 2 or ARC 3 changed anything which was covered by ARC >> 1's AMS. >> >> There is no need to trust either ARC 2 or ARC 3's signatures in my >> example, which is the point here. Even if ARC 2 or ARC 3 are not yet known >> or trusted, you can tell that they didn't modify this particular message. >> > > Very helpful - thanks. I think that expressing it in the positive > "oldest-pass" form makes the point much clearer. Unless there is an outcry > from the rest of the group, I'd like to change to this terminology. > Just to be clear, we're saying "*.oldest-pass" will contain the instance number of the most recent AMS that passed? Or is it the distance from the verifier to the most recent passing ADMD? -MSK
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
