On Wed, Feb 15, 2006 at 06:21:36PM -0800, Eric Allman allegedly wrote: > bad signatures. The order in which signatures are tried is a > matter of local policy for the verifier and is not defined > here.
Modulo possible upgrade/downgrade guidance given in other parts of the (future) spec. > A verifier MAY treat a message that has one or more > bad signatures and no good signatures differently from a > message with no signature at all; again, this is local policy > and is beyond the scope of this document. I would almost want such text not to be in the spec, but making it clear that any assessment of invalid signatures is strictly out-of-scope and entirely a local policy is a good thing. Jim and Mike I think have push this button the most - and I agree completely - that ascribing meaning to an invalid signature is tenuous at best and certainly not something we want to codify. >> Over 80% of SMTP transactions are not SMTP compliant >> (intentionally). Is DKIM the exception to this high probability? > Dream on, although I'm surprised the number is so high --- perhaps if > you include spam engines. But here is where I think we have a > disagreement; I am concerned, at least in the short run, about > signatures that get trashed for innocuous reasons, such as mailing > list exploders. I don't think such messages should be rejected. > This is, of course, local policy. Right. If anything I would want to go further and advise against implementing local policy in this space. The point about SMTP non-compliance reinforces that point as most of this non-conformance is likely due to ignorance, hubris and bugs rather than malicious intent. Mark. _______________________________________________ NOTE WELL: This list operates according to http://dkim.org/ietf-list-rules.html
