On Thu 17/Jul/2025 01:45:45 +0200 Bron Gondwana wrote:
On Wed, Jul 16, 2025, at 17:05, Barry Leiba wrote:
What's wrong with something like this:
The verifier MUST support at least one of the signature algorithms.
The verifier SHOULD check all the algorithms it supports.
The signature MUST be valid for all signatures that are checked.
...and we add an explanation for the SHOULD.
Yeah, I think I agree with you. When adding a new algorithm support I would be likely to
put it in a "check but don't use" state, where I'd log the result to see if it
was well implemented at either my end or the sending end, and once it looked like it was
generally solid I'd turn it on for real.
We could also add another result type for aggregate reports and A-R headers,
e.g. "neglected" to mean that it is supported but not verified. This might
help understanding when to stop signing with algorithm Q.
Best
Ale
--
_______________________________________________
Ietf-dkim mailing list -- [email protected]
To unsubscribe send an email to [email protected]
