On Tue, 16 Mar 1999 20:55:17 PST, Brad Templeton said:
What is thought on whether multiple headers should be:
Signed-1:
Signed-2:
vs.
Signed: l=1;
Signed: l=2;
I know in mail the Received header gets simply done multiple times. Is
there any feeling each way?
Definitely the latter.
There is no need to "sign" a "signed" header. Can you tell me why you
would want to do this? A "signed" header (and any certificate) is
verifiable on its own when paired with the signed headers and body. I
I'm in the office, and my copy of Schneieder's "Applied Cruptography" is
at home, but I do seem to recall there being a discussion of signing of
signatures being important for notary services and non-repudiation schemes.
Basically, you're signing with *your* key, and your key has some sort
of chain of trust attached to it so the recipient can verify it was indeed
your key. However, for timestamping services and the like, you need to
get a *second* trusted signature to verify that it was, in fact, done
at the actual time it claims, and so on.
I can't offhand speak to whether Usenet or E-mail *need* support for
timestamping and notary services - but if you *are* going to do this,
it will require a second signature.
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
pgp3Wa5MgXi54.pgp
Description: PGP signature