John Levine wrote:
? supporting multiple signatures on single messages
This is a chronically contentious point.
PRO: Relays can re-sign to show the path that a message took. Lists
and forwarders can re-sign so a message has both the original sender's
sig and the list or forwarder's sig.
CON: If you sign it, you take responsibility for it, recipients
shouldn't care how it got to you. Multiple signatures are fragile
when transiting list managers that may modify the subject and body (a
topic debated at length with IIM.) If a message has both a good sig
and a bad sig, semamtics are not clear.
My view is that a bad signature is equivalent to no signature since an
attacker could easily create a signature that doesn't verify (so you
shouldn't treat it any better) and something in the mail path could
break the signature (so you shouldn't treat it any worse).
My inclination is to waffle, to permit multiple signatures but not to
encourage them and not to try to specify the semantics. They don't
seem very useful to me, but they also don't seem so clearly useless
that I would want to outlaw them.
Agreed; at the very least they shouldn't be declared out of scope by the
charter because there is substantial support for considering possible
use of multiple signatures.
-Jim
_______________________________________________
ietf-dkim mailing list
http://dkim.org