On Tuesday 01 August 2006 10:00, John Levine wrote:
As I read the later case, the only signature present (C's) is not one that
is included in A's SSP. In this case we have a message with a signature
that is outside the scope what A has said is authorized (or not included
in A's authoritative list). If A is a high profile phishing target and
signs all of it's mail, then it would be useful (I think) for receivers
to recognize that the message has been signed by someone other than who A
said it would.
Why do you want to prevent people from forwarding genuine, unmodified
messages? That's a feature, not a bug.
In this scenario, A has said that it signs all it's messages and it's
signature is not verifiably present. I don't want to prevent people from
forwarding genuine unmodified messages. This is a case where a signature
that the SSP of A has said is to be expected is missing, not standard
forwarding.
If ebay sends a message with a valid ebay signature, how can any chain
of forwarding and added signatures change the fact that it's a real
ebay message? Let's assume that ebay has enough sense to sign its
MIME headers and not to use l=, so the message that's delivered is the
same one that was sent.
Agreed. As Stephen pointed out, it's the absence of A's signature that is the
real point I'm driving at.
Scott K
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html