On Tue, 2005-10-18 at 00:39 +0000, Mark Delany wrote: > On Mon, Oct 17, 2005 at 05:09:01PM -0500, Earl Hood allegedly wrote: > > [ re body hashes ] >
> > It also provides benefits in diagnostics, logging, auditing, and > > dealing with multiple signatures. > > On the matter of diagnostics, while a binary indicator saying the > cause of a failure is the header vs the content is mildly useful, I > think the whole role of diagnostic mechanisms needs to much more > comprehensive than this to be useful. It's one of the areas that we > started focusing on heavily in DK - what additional diagnostic > material can be supplied to help automate and categorize verification > failures? > > I would hazard that comprehensive, automated diagnostics should be > available before finalizing canonicalization. Much more can be done in the area of diagnostics. Capturing the body hash would be useful and not add substantially to the overall overhead. As Earl points out, it also allows the disposition of the signature to be determined ahead of the data phase completing. This may allow earlier execution of other checks, such as reputation checks on the IP address, when the signature is found bad. Invalid hash should not provide some acceptance value, and at some point the message may be dropped as a result. It might be handy to define a header diagnostic which lists header checksums to also isolate which header is being damaged. I could draw up some ideas. -Doug _______________________________________________ ietf-dkim mailing list http://dkim.org
