On July 27, 2005 at 21:33, "Hector Santos" wrote:
o=~ NEUTRAL or RELAXED (signature optional [,No 3rd party?])
o=- STRONG (signature required, 3rd party allowed)
o=! EXCLUSIVE (signature required, no 3rd party)
o=. NEVER (no mail expected)
o=^ USER
Right. This is why I had the parenthetical 3rd party question mark in the
Neutral option. The specs does not specifically states neutral policy allows
for 3rd party signing.
I think your WEAK idea clears it up:
o=? WEAK (signature optional, no third party)
o=~ NEUTRAL or RELAXED (signature optional, 3rd aparty allowed)
I think this is not enough. To enable third-party signing, the
ability to list which signing agents are allowed to sign must
be provided. Otherwise, enabling third-party signing opens you
up to spoof attacks, making third-party signing pointless.
Related to this is that third-party signing would require DKIM to be
modified to state that the i= tag does not need to be a subdomain of
the d= tag since the signing address can be of a different domain
from the signer. Or, if third-party signing is done, the i= tag
should not be specified.
--ewh