[ietf-dkim] Are verifiers expected to query SSP on a
pbaker at verisign.com
Wed Aug 2 11:22:05 PDT 2006
> From: Stephen Farrell [mailto:stephen.farrell at cs.tcd.ie]
> Why? Surely all that can happen is stripping of the stronger
> sig and we already decided that that wasn't a bother for
> base, so why is it a problem now? (Maybe I mis-remember but I
> think we decided it was a non-problem, not that it was a
> problem to punt to SSP.)
Alice decides to sign with ZSA which has just been approved, few people support ZSA so she also signs with RSA2048
Bob's mail gateway does not support ZSA.
Mallet strips out the RSA2048 signature, modifies the message and leaves in the ZSA signature.
Bob can see that there is a signature which points to a valid key record but has no way to verify it and no way to know that it does not comply with Alice's signature policy.
More information about the ietf-dkim