Dave Crocker wrote:
OK. Able is on your whitelist. Charlie is on your blacklist. Now
what?
I'm making this up as I go, but I suppose I would accept the message:
if someone I trust asserts responsibility for the message, that's more
important than the fact that that someone I distrust also asserted
responsibility.
'making this up as I go' is really exactly the problem. multiple
signatures moves from one entity taking responsibility to some unknown
combination of responsibilities, ensuring substantially greater
complexity in the overall system. What are the relationships among the
signers? How much does the validator care and in what way? etc.
This dilemma is completely possible today by
inspecting the ip addresses in received headers. Somehow
the world has continued rotating, and I can see the dawn
across the Berkeley Hills as proof. There is a presumption
here that all receivers need to be in lock step for each
and every corner case. The mail system today shows it is
far more resilient than is being given credit for.
ps. the small matter of transitions, such as between different signing
keys, is really the argument that convinced me we needed multiple
signatures. but that is a "find one valid signature" rather than
:"analyze the relationship among multiple".
There's intermediate ground between "find one" and "analyze
the relationship" too. One can treat them as independent
entities for input to a rules engine too.
Mike
_______________________________________________
ietf-dkim mailing list
http://dkim.org