[ietf-dkim] Attempted summary, SSP again
fenton at cisco.com
Fri Jan 27 13:11:36 PST 2006
Perhaps part of the disconnect here is the question of whether the
policy applies to the validity of the message or to the validity of
John's original question is premised on the idea that there may be
multiple signatures on a message. Let's take it as a given for now that
there may be.
The ! (EXCLUSIVE) policy says "Third-party signatures SHOULD NOT be
accepted". So if a message with an OA signature and a third party is
verified, and the SSP is EXCLUSIVE, then the third-party signature
SHOULD be ignored, leaving the OA signature. The message isn't
considered Suspicious if the message has a valid OA signature. In other
words, it doesn't say "messages with third-party signatures SHOULD NOT
be accepted", it says that the third-party signature itself SHOULD NOT be.
I agree with many that it doesn't make a lot of sense to put a
third-party signature on a message that has an EXCLUSIVE SSP. But I
don't see why it should harm the message to do so, so long as applying
the new signature doesn't break one that's already there. The verifier
has to check SSP regardless (unless it verifies that there is a valid OA
signature first); it should be up to the re-signer to decide whether to
also check SSP or not.
P.S.: I'll echo Stephen's request for more comments on the threat
analysis document. I KNOW it isn't perfect!
Hector Santos wrote:
> ----- Original Message -----
> From: "Michael Thomas" <mike at mtcc.com>
>>> For the EXCLUSIVE policy? Following SSP, it would be a
>>> REJECT because the policy says no 3PS should exist.
>> That's not what it says. It says:
>> "! All mail from the entity is signed; Third-Party
>> signatures SHOULD NOT be accepted"
>> In the context, it means that it requires a first party signature.
>> It should probably be more explicit on this point.
> In the context of the Levine's question,
> "if a message has both a signature from the From: domain
> and one from someone else, does that pass? Why or why not?"
> Following your SSP draft description as posted above, this would be an
> unaccepted condition.
> What is the difference?
> Hector Santos, Santronics Software, Inc.
> ietf-dkim mailing list
More information about the ietf-dkim