Steffen Nurpmeso wrote in <20250719193843.zZ-eWgbK@steffen%sdaoden.eu>: |Bron Gondwana wrote in | <[email protected]>: ... ||2) all the later hops can validate all previous signatures, so if they \ ||aren't happy about the content of a message they can tell if it was \ ||insufficiently checked by a previous hop (which they need to do anyway, \ ||because any hop can lie about the validation is has done of previous hops. | |This is not for ACDC, except in "R"eputation mode. | |That is, one could do that, always, one likely would have a |software config switch, too: it makes absolutely no sense to |apply very expensive actions if i just *know* the domain X-1 does |it right. | |*But*, i blindly trust RFC 5863, section 2.5, on "organizational |trust", in that this knowledge can also very well be automatized. |Especially so in case of succeeding verifications, the reputation |checks could become more and more sparingly. Maybe, maybe |different to 5863, it could be reset upon failure immediately, |because something is very, very wrong. And resetting does not |really hurt except by increasing verification costs a bit, more |often.
Funnily i am just now reading a message of the pretty famous Larry McVoy of Sun and Bitkeeper etc on TUHS, and even though that is about ethernet i think it applies a hundred percent here, too: The nay sayers were mumbling about forwarding corrupt packets but that got shut down because (A) the final destination of the packet will catch that it is corrupt and (B) corrupt packets are vanishingly rare so making all the switches slow for something that doesn't happen often is stupid. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) | |During summer's humble, here's David Leonard's grumble | |The black bear, The black bear, |blithely holds his own holds himself at leisure |beating it, up and down tossing over his ups and downs with pleasure | |Farewell, dear collar bear _______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
