Re: z= question with X headers

william(at)elan.net wrote:

> On Fri, 28 Apr 2006, Eric Allman wrote:
>
> > The z= tag is only supposed to be used for "diagnostic purposes", not 
> > for computing the hash.  Changing that would have major implications 
> > that we would have to examine very carefully.
>
>
> So if mail list changed Subject header field (and for purposes of this
> question did not add other fields or changed content data) and there was
> a signature in message before that contained original Subject in the 'z'
> tag AND now message got to verifying agent - that agent is supposed
> to say the signature is invalid rather then use data from 'z' tag to 
> attempt to verify the signature?

Yes, but let me explain. As far as the spec is concerned, there is a 
single way
to verify a signature, and that does not involve anything with z=. We 
need this
to be true lest we infinitely devolve into arguments about what 
heuristics are
good, evil, etc. The current spec is algorithmic, and that's a Good Thing.

That said, dkim-base does not specify any output other than the internal 
state
of the verifier after the operation is complete, and this can be used 
for whatever
purpose the verifier thinks is useful. Nor does -dkim-base say that you 
must not
try to figure out what went wrong; this is the receiver's perogative, 
and we aren't
the net.police. If you were to try to do that and make a different 
decision in your
receiver based upon that, that's your perogative, but it's completely 
outside the
scope of the -dkim-base document. In other words, your on your own.

      Mike