[ietf-dkim] A few SSP axioms
johnl at iecc.com
Tue Aug 1 06:57:01 PDT 2006
>> In my book it's the same as A signed by A. The only concern I would have
>> is if B added content, what to do about that, I'm not sure.
I'd appreciate a concrete example where B adds and signs content without
breaking A's signature.
There's a few scenarios that have come up:
* The first signature has l= and B adds stuff at the end.
* The first signature didn't have MIME headers and B adds them,
perhaps making a lot of the original message invisible in a newly
defined MIME part.
Note that these two are easy to defend against: always sign MIME headers,
even if there aren't any, and don't use l=.
If people think there are other scenarios where a second signer can
make signficant changes to a message without breaking an existing
signature, we have worse problems than SSP.
More information about the ietf-dkim