Douglas Otis wrote: > When the signature has elapsed beyond the an expiry period, the current > draft indicates the recipient MUST NOT consider the signature to be > valid. This would be independent of any sender policy. When the > message is within a reasonable time frame beyond the expiry time, this > could be due to two causes, replay or delay. With a high level of spam, > placing messages into a junk folder is likely worse than rejecting the > message. If this message was a delinquent delinquency notice, for > example, either full acceptance or rejection would make more sense. > > The recipient may wish to consider how to handle delivery periods that > are perhaps too short to accommodate delays that may occur in the > recipient's system. The MUST in the draft may be a bit harsh. > The MUST in the draft refers to the validity of the signature, not the validity of the message.
If you subscribe (as I do) to the philosophy that an invalid signature should be treated as though it is absent, then the verifier MUST behave as though the expired signature just isn't there. Maybe there is another valid signature, or maybe not. If not, the message is handled just like an unsigned one. -Jim _______________________________________________ NOTE WELL: This list operates according to http://dkim.org/ietf-list-rules.html
