Earl Hood wrote:
If the second signature binds to the OA, it is not a third-party
signature, it is a first-party signature. A third-party signature is a
signature that does not bind to the OA. So the third-party signing
policy is irrelevant.
On July 30, 2005 at 07:38, Jim Fenton wrote:
This means that the addition of a valid signature to a message with a
valid first-party signature could make it invalid. I'd like to
understand what problem this solves; it doesn't seem to be protecting
against abuse of the original message.
And this second signature passes, we still might need to look up the SSP for
example.com because the policy might suggest no further signing was
IMO, an additional assertion of accountability for a message shouldn't
make it less valid.
The first signature is not made invalid if the second signature
can specify its role; i.e. the second signature is not bound
to the OA.
And even with that, if the second signature is binding to the
OA, it is invalid if the OA SSP disallows 3rd-party signing. This
should have no effect on the first signature.
If the message has a valid first-party signature, then that is
considered sufficient to authorize the message and it is not generally
necessary to display anything about other signatures in the message.
Now, what does the invalidness (is that a word?) of the second
signature mean? How is this conveyed to the end-user?