Scott Kitterman wrote:
Message from A, signed by A and B; does SSP matter? (I hope not.)
In my book it's the same as A signed by A. The only concern I would have is
if B added content, what to do about that, I'm not sure. I expect that's
probably a question for receiver policy and unlikely to be standardized.
Message from A, signed by C; SSP says nothing about C.
Yes. Then how to treat this would be a question of what A's SSP says (is the
list exclusive or not) and the receiver policy.
I still don't understand why we care if someone adds a signature and
does nothing else.
If B adds a signature covering a header not covered by A's signature,
then I can imagine that the verifier might want to treat that header
differently from those signed by A. But ignore that for now - if both
A and B sign exactly the same headers+content, then what bad thing
can happen? (That would cause A to want a countermeasure.)
I think that the matrix that Hector did back at (or possibly just before) the
working group started was a good one.
Agreed. Tables can call out less-obvious cases like where B adds another
field as above. (Note: I'm not saying I agree with the table content,
but I did like the approach.)
S.
PS: Have a nice vacation!
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html