John Levine wrote:
A third party signature from a stranger is useless, I don't ever
recall anyone claiming otherwise, and I've never understood why this
red herring comes up over and over and over and over and over again.
Let me take a guess.
Could it be because you have selective bias to ignore and neglect all
security concerns expressed over and over again by legitimizing the
existence of unexpected states that is fundamentally conflictive with
existing long held private email practices?
In layman terms, while stating a 3PS is useless without some form of
non-repudiated prior arrangement is plausible, the mere fact for the
unexpected existence of 3PS has a tremendous value in the area of mail
tampering and fraud detection and protection.
IMO, to ignore this is irresponsible.
Just consider that by believing a 3rd party signature is useless, this
premise alone may be enough to provide justification for a verifier to
"discard" any message with a 3rd party signature.
Because your model implies there should never exist a 3rd party
signature due to its useless value, therefore no legitimate DKIM signer
would ever attempt to sign as a 3rd party.
Unless your ASP model has specific semantics to not DISCARD 3rd party
signatures, as did SSP-01, be careful for what you ask for because this
might be exactly what will happen inevitable. After all, you said 3rd
party signatures are useless.
Hector Santos, CTO
NOTE WELL: This list operates according to