On 8/28/06, Michael Thomas <mike(_at_)mtcc(_dot_)com> wrote:
>Hector Santos wrote:
>
>
>
>> Subject: Check your account
>> Date: Sun, 27 Aug 2006 05:04:42 -0700
>> From: accounts(_at_)bank(_dot_)com
>> To: PoorUser(_at_)ISP(_dot_)COM
>> Sender: support(_at_)asp(_dot_)com
>> DKIM-Signature: d=bank.com # invalid 1st party
>> DKIM-Signature: d=asp.com... # valid 3rd party
>>
>>
>[...]
>
>
>>According to DKIM-BASE, the valid 3PS signature would make
>>this an valid DKIM message, even if the 1st party signature
>>failed.
>>
>>
I'm afraid that this is a pretty fundamental misunderstanding of what
dkim-base
does and does not provide. DKIM-base does not say whether a given message is
valid: that is not something that it can say with any accuracy. It does
provide a mechanism for a receiver to determine whether one or more dkim
signatures are valid. How those (in)valid signatures are evaluated by the
receiver
is out of scope of the protocol.
IMO that the contention that remains is how this "mechanism" is to be
used and interpreted and a particular signing level. Providing a level
of valuation is not a dictation how that valuation is used.
Regards,
Damon Sauer
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html