On Fri, Jul 27, 2018 at 10:39 AM, Murray S. Kucherawy <[email protected]> wrote: > > But (and I think this proves my point) I don't know if "cv=fail" refers to > an invalid chain or a failed chain. I have to run the verification to > figure that out. But you're saying you just stop when you see "cv=fail". > > I remain confused. >
I don't understand what you're exploring. The algorithm in https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-16#section-5.2 is clear and the separate paths you're describing don't factor it. On validation, you grab the highest instanced ARC set (step 1), and then start a process to set the chain validation status of the inbound ARC Chain. If the highest instanced ARC Set has cv=fail in it, you're done (step 2). No cryptographic checks have even been performed at this point, because in either scenario the chain is dead. If the AS validates and you have cv=fail, then the chain state is fail. If the AS does not validate, then the chain state is fail. Crypto isn't checked until step 3, and we never get there. If you're doing analysis and want to understand what caused the chain to fail, you're now outside of validation and outside of matters that affect interoperability. Or am I still misunderstanding what you're getting at?
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
