On Fri, Jul 27, 2018 at 10:29 AM, Seth Blank <[email protected]> wrote:
> On Fri, Jul 27, 2018 at 10:21 AM, Murray S. Kucherawy <[email protected] > > wrote: > >> On Fri, Jul 27, 2018 at 8:35 AM, Seth Blank <[email protected]> wrote: >> >>> The verification algorithm is straightforward. If you receive a chain >>> that ends with cv=fail stop your evaluation, you’re done. There’s no >>> separate validation path here. >>> >> >> Then why bother signing anything when you affix "cv=fail"? >> > > Because adding your ARC Seal over the chain guarantees that the receiver > has a complete list of everyone who modified the message up until the > failure. Without this signature any failures cannot be localized, and any > ARC data in a failed chain could not be trusted. This data is crucial for > analysis, understanding the experiment, and reporting back accurate and > untampered information. > But (and I think this proves my point) I don't know if "cv=fail" refers to an invalid chain or a failed chain. I have to run the verification to figure that out. But you're saying you just stop when you see "cv=fail". I remain confused. -MSK
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
