bill(_dot_)oxley(_at_)cox(_dot_)com wrote:
It may well be unenforcable. If I send an email directly to
stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie signed and with the SSP
record of
"I sign all email, and do NOT permit email through any body or
signature altering gateways"
I will open a session on port 25 at mx.cs.tcd.ie and hope that the
receiving mta does not add its own sig to the message before depositing
it to the inbox. Local rules might require the additional sig to ensure
that the inbox only gets mail from the edge mta. Now if Stephen is using
one of Doug's dkim aware MUA's that "see's" 2 signatures where only one
should be might flag the message with a red warning "suspicious mail
lies here" or inform Stephen that the message was deleted because the
SSP didn't match.
Some different thoughts/questions on this one.
First, is this really likely? Shouldn't such validation be handled
in the context of a closed network?
Second, does adding a new signature alter the original signature?
If not, then that would be fine.
Third, if the signature(s) verify, then would the policy even be
checked? It's not in the single-sig context. This leads back to
the unenforceable thing - you could always remove the original unremovable
signature, sign it again, and since the policy isn't checked, no one
would be the wiser. Perhaps this is an argument for having policy-first
in effect all the time.
Finally, how is an MUA or an MTA supposed to validate mail that has more
than one signature? Does it validate all of them, or only the outermost?
tom
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html