Re: Single signature and two level verification cascade

 > Checking to see whether I understand your point:
 >
 >  A message may have at most one mass signature in effect at any one time.
 >  However there may be multiple headers documenting validation of the
 >  signature, such as by a receive-side border MTA and by the MDA.

  As mail is received by the MDA, an mda-verification header is generated,


There are a number of places along the way, on the receive side, that could 
legitimately be the source of the header.  Not just the MDA.  That is why I 
listed the incoming border MTA and the MUA, as examples.

  but this header is not allowed to exist within a message passed through
  the Internet.


The verification header is valid only within the administrative trust domain 
that creates it.

  This scheme would normally result in a single verification header.  For
  mail forwarded, the source of the initial verification should be
  documented, and this involves a verification header that is intended to
  be passed through the Internet and included within the resigning.


If the validation header is only valid within the trust domain that created it, 
then it does not make sense to discuss scenarios that use the header across the 
open Intenret.  That's what you seem to be doing here.

The validation header is a local annotation.  

It especially does not make sense to talk about valdation that survives 
"forwarding" (that is, after re-posting) unless you meant relaying.

  (Swapping a header name should be all that is needed.)  The MSA would
  simply rename the existing mda-verification header as a
  pass-through-verification header. (This process should over-write an
  existing pass-through-verification header.)  Without over-writing, it
  could become a mess otherwise.


What is the point in doing this?

  This approach should work well for a majority of situations where a
  message is modified and reissued, as example within a list server.  This
  pass-through-verification header documents the accountable element of
  the verification used when the message was accepted into the mail
  channel.  If there is a problem, having this information would be useful
  for resolution.


So you are trying to create an audit trail of validations?  Why not simply add 
this to a Received header?  That's where we put audit information.


d/
--
Dave Crocker
Brandenburg InternetWorking
+1.408.246.8253
dcrocker  a t ...
www.brandenburg.com

<Prev in Thread]	Current Thread	[Next in Thread>
RE: Signature Failure Analysis, (continued) RE: Signature Failure Analysis, Douglas Otis Re: Signature Failure Analysis, Jim Fenton Re: Signature Failure Analysis, Douglas Otis Re: Signature Failure Analysis, Jim Fenton Re: Signature Failure Analysis, Douglas Otis RE: Signature Failure Analysis, David Woodhouse RE: Web pages for MASS effort, william(at)elan.net RE: Web pages for MASS effort, domainkeys-feedbackbase01 Re: Web pages for MASS effort, Dave Crocker Single signature and two level verification cascade, Douglas Otis Re: Single signature and two level verification cascade, Dave Crocker <= Re: Single signature and two level verification cascade, Douglas Otis Re: Single signature and two level verification cascade, Stephen Pollei Re: Single signature and two level verification cascade, Douglas Otis Re: Web pages for MASS effort, Dave Crocker Re: Web pages for MASS effort, Michael Thomas Re: Web pages for MASS effort, Dave Crocker Re: Web pages for MASS effort, william(at)elan.net Re: Web pages for MASS effort, Dave Crocker Re: Web pages for MASS effort, Michael Thomas Re: Web pages for MASS effort, Dan Wing

Previous by Date:	Single signature and two level verification cascade, Douglas Otis
Next by Date:	Re: Single signature and two level verification cascade, Douglas Otis
Previous by Thread:	Single signature and two level verification cascade, Douglas Otis
Next by Thread:	Re: Single signature and two level verification cascade, Douglas Otis
Indexes:	[Date] [Thread] [Top] [All Lists]