[ietf-dkim] A few SSP axioms
stephen.farrell at cs.tcd.ie
Tue Aug 1 02:12:39 PDT 2006
Scott Kitterman wrote:
>> Message from A, signed by A and B; does SSP matter? (I hope not.)
> In my book it's the same as A signed by A. The only concern I would have is
> if B added content, what to do about that, I'm not sure. I expect that's
> probably a question for receiver policy and unlikely to be standardized.
>> Message from A, signed by C; SSP says nothing about C.
> Yes. Then how to treat this would be a question of what A's SSP says (is the
> list exclusive or not) and the receiver policy.
I still don't understand why we care if someone adds a signature and
does nothing else.
If B adds a signature covering a header not covered by A's signature,
then I can imagine that the verifier might want to treat that header
differently from those signed by A. But ignore that for now - if both
A and B sign exactly the same headers+content, then what bad thing
can happen? (That would cause A to want a countermeasure.)
> I think that the matrix that Hector did back at (or possibly just before) the
> working group started was a good one.
Agreed. Tables can call out less-obvious cases like where B adds another
field as above. (Note: I'm not saying I agree with the table content,
but I did like the approach.)
PS: Have a nice vacation!
More information about the ietf-dkim