Stephen Farrell wrote:
It seems to me that the exchange between John and Charles
below captures the crux of the issue.
Option 1: If we agree with Charles (& Phill I guess) that
looking up SSP and then passing on the only-signed-with-B
message will be common practice then there seems to be a
sufficient reason to include the "I sign all with A"
statement or equivalent in SSP.
Option 2: If OTOH, we agree with John, that further processing
(after sig check & SSP lookup) SHOULD or MUST treat the
only-signed-with-B message as unsigned, with no code branching
on the presence of the putative B-sig, then the additional SSP
expressiveness is useless.
I don't see a rough consensus either way, though I would
guess I've seen a little more support for option 1 in the
last few days than for option 2.
Just to help me out, could you say which option you prefer?
Thanks,
Stephen.
PS: If you prefer some other option or would like to quibble
with my text above, feel free, but maybe change the subject.
Well, I have one small quibble in that I don't understand what
the actual problem is. While that's not a huge problem in the
global scope of things, I do need to understand this enough to
transcribe the outcome. In particular, I haven't seen any clarification
as to why the algorithm bindings in -base are not sufficient to
cover this attack; having -base already solve the problem is
the best outcome, right?
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html