Earl Hood wrote:
On October 13, 2005 at 16:20, Jim Fenton wrote:
This relates to one of the motivations for multiple signatures. If you
have a non-mangling mailing list, you might want to preserve the
original signature, because it's still valid and some people might want
to base a decision on that. They (or others) might want to know for
sure that it came from the list, because they want to make sure that
they read all messages on the list. A WG chair might have that concern,
for example.
And here is where roles can play an important role, especially wrt SSP.
The mailing list signature could not be applied, or be valid, if the
SSP (as currently defined) disallows 3rd-party signatures (and it
has been argued that no entity should allow 3rd-party sigs due to
spoofing concerns).
However, if the list sig had a role specification, SSP constraints
would not be a factor since the list is not claiming any relationship
with to the OA.
That would be fine if the recipient had a way of seeing the role -- or
the claimed role since there is no way of proving it -- associated with
the signature. But most message recipients (Outlook users being a
notable exception) only see the From address. Your messages to the list
(that aren't individually addressed to me) still look to like they come
from "Earl Hood <earl(_at_)earlhood(_dot_)com>" despite the fact that I get them
from the list. The list doesn't have to claim any relationship with the
OA; my MUA (and many others!) do it for them.
-Jim
_______________________________________________
ietf-dkim mailing list
http://dkim.org