Hector Santos wrote:
Subject: Check your account
Date: Sun, 27 Aug 2006 05:04:42 -0700
From: accounts(_at_)bank(_dot_)com
To: PoorUser(_at_)ISP(_dot_)COM
Sender: support(_at_)asp(_dot_)com
DKIM-Signature: d=bank.com # invalid 1st party
DKIM-Signature: d=asp.com... # valid 3rd party
[...]
According to DKIM-BASE, the valid 3PS signature would make
this an valid DKIM message, even if the 1st party signature
failed.
I'm afraid that this is a pretty fundamental misunderstanding of what
dkim-base
does and does not provide. DKIM-base does not say whether a given message is
valid: that is not something that it can say with any accuracy. It does
provide a
mechanism for a receiver to determine whether one or more dkim signatures
are valid. How those (in)valid signatures are evaluated by the receiver
is out of
scope of the protocol.
I'm afraid that his may be one of the unintentional results
of the previous -base drafts having the Authentication-Results: header
in it.
Authentication-Results -- which may or may not lead to message level
evaluation
is most definitely not in scope though. It should be noted that even if
it were,
it is a receiver-side annotation which may or may not have things to say
about
DKIM-base, SSP, SPF and all kinds of other things.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html