Dave Crocker wrote:
If a mailing list signs a message and does
not change the FROM this is automatically a "3rd party" signing situation.
this is probably worth clarifying:
it is 'third party signing' if one is attempting to do an assessment based on
the From field, rather than based on the signing field.
if the signing identity is assessed directly then what matters is the assessment
of that identity, not whether it has "permission" from the From field identity.
This is completely confusing me. The signing entity is what it is, but
the signing
entity may want to assert that there is a binding between the signature
id and one
or more of the outer addresses such as From or Sender. This binding
mechanism
was removed from the -base draft and was intended to be put into the
-ssp draft,
but we ran out of time. So it seems to me that there are three cases:
1) the signing identity has no relationship at all to any of the outer
addresses
2) the signing identity has a relationship with a non-From outside address
3) the signing identity has a relationship with the From address
"Third party" is probably imprecise since it could mean 1, 2 or both. I
get the
impression that what people are talking about here is (2) though, but I'm
hopelessly behind.
Mike