ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Attempted summary, SSP again

2006-01-27 14:14:26
from [Jim Fenton] [Permanent Link] 
Hector,

Perhaps part of the disconnect here is the question of whether the
policy applies to the validity of the message or to the validity of
individual signatures.

John's original question is premised on the idea that there may be
multiple signatures on a message.  Let's take it as a given for now that
there may be.

The ! (EXCLUSIVE) policy says "Third-party signatures SHOULD NOT be
accepted".  So if a message with an OA signature and a third party is
verified, and the SSP is EXCLUSIVE, then the third-party signature
SHOULD be ignored, leaving the OA signature.  The message isn't
considered Suspicious if the message has a valid OA signature.  In other
words, it doesn't say "messages with third-party signatures SHOULD NOT
be accepted", it says that the third-party signature itself SHOULD NOT be.

I agree with many that it doesn't make a lot of sense to put a
third-party signature on a message that has an EXCLUSIVE SSP.  But I
don't see why it should harm the message to do so, so long as applying
the new signature doesn't break one that's already there.  The verifier
has to check SSP regardless (unless it verifies that there is a valid OA
signature first); it should be up to the re-signer to decide whether to
also check SSP or not.

-Jim

P.S.: I'll echo Stephen's request for more comments on the threat
analysis document.  I KNOW it isn't perfect!


Hector Santos wrote:

----- Original Message -----
From: "Michael Thomas" <mike(_at_)mtcc(_dot_)com>

  

For the EXCLUSIVE policy?  Following SSP, it would be a
REJECT because the policy says no 3PS should exist.
      

That's not what it says. It says:

      "!  All mail from the entity is signed; Third-Party
          signatures SHOULD NOT be accepted"

In the context, it means that it requires a first party signature.
It should probably be more explicit on this point.
    


In the context of the Levine's question,

   Levine:
   "if a message has both a signature from the From: domain
    and one from someone else, does that pass?  Why or why not?"

Following your SSP draft description as posted above, this would be an
unaccepted condition.

What is the difference?

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com



_______________________________________________
ietf-dkim mailing list
http://dkim.org

  

_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Re: Attempted summary, Jim Fenton
Next by Date:  Re: [ietf-dkim] Re: Attempted summary, John Levine
Previous by Thread:  Re: [ietf-dkim] Attempted summary, SSP again, Hector Santos
Next by Thread:  Re: [ietf-dkim] Attempted summary, SSP again, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]