On October 13, 2005 at 18:58, John Levine wrote:
3. If it decides that it should pass, the mailing list should LEAVE the
existing signature (that part is not universally agreed on, of course,
Since the signature won't verify any more, I don't see the point.
If the data hash was a separate parameter in the DKIM-Sig field and
only the DKIM-Sig field is what is digitally signed, then there can
be some value in leaving the existing signature.
Of course, verifiers cannot put any weight to the field if the data
hash fails, but it can be useful for trace and auditing purposes.
There have been some proposals to standardize a header that a verifier
could add to say that it found a good signature, and the outgoing
signer could sign that, but I'm not sure that's any more useful in
practice.
With the data hash separate, the list software can include the
existing DKIM-Signature in its data hash. This tells the recipient
that list software verified the original signature before sending
the message out to subscribers, and the recipient can still
verify the cryptographic signature of the original signature.
--ewh
_______________________________________________
ietf-dkim mailing list
http://dkim.org