In an offlist exchange with Doug I asked him whether he thinks
the following scenario is an example of his perceived problem
with ssp. He said it is an example, so I wanted to check with
the list about this.
1. Alice works for Alice-Corp who publish a policy to the effect
that they and only they sign all their outbound mail.
2. Alice posts a message to Foo-list which signs the message
itself and drops Alice's signature.
3. Bob receives the message from the Foo-list, signed by the list.
4. Bob looks up Alice-Corp's ssp assertion and considers the
message as having a bad signature.
5. In order to allieviate this problem Alice-Corp are forced
to weaken their policy to allow 3rd party signatures to be
accepted by Bob.
So, is there an error in the above? (E.g. does the problem go
away if both signatures are maintained with the message, or
does it just get more messy, but remain a problem.)
If the above is possible, how should/can it be avoided?
Note: even if this is a valid problematic scenario, I don't
believe we need to fix it right now, but we should recognise
it as a problem that needs solving.
Stephen.
_______________________________________________
ietf-dkim mailing list
http://dkim.org