On Tue, Apr 11, 2006 at 05:46:16PM -0700, Dave Crocker allegedly wrote: > > > >Well, you may want to sign twice for an extended period, say if > >sig1 is rsa-sha1 and sig2 is rsa-sha256 and it takes a year or more > >before you're confident that a sufficient number of peers have > >deployed sha256 verifiers. > > > This presumes that a signature is expected to validate a year after it was > created. Since DKIM is for transit, why would anyone expect a validation > to occur that far into the future?
I don't think that's his point. His point is that it takes a year to be confident that sufficient verifiers understand the new signature type. IOW that year is the transition time for verifiers. So yes, Jonathan, you have precisely described the case for two signatures being generated by a signer - as a transition away from a deprecated algorithm. Mark. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
