I've been thinking about this and discussing offline, so to put it differently:
5.1.2 says when a chain fails, to put cv=fail in the AS and only Seal the ARC Set being added. Per the original message and suggested text, I believe 5.1.2 should only provide the above guidance when it is not otherwise possible to sign the entire ARC Chain (i.e. when the Chain is structurally invalid and a deterministic set of headers cannot be enumerated). Regardless of this behavior, the Chain is still equally dead. But in one scenario (initial ARC Chain not Sealed) you get no data from that dead chain, and in the other (failing Set Seals initial Chain) you can. Might it be clearer to make my recommended change and also put something in 5.1.2 saying that the cv=fail Seal is just for trace purposes since the chain can never validate per 5.2?
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
