ietf-mailsig
[Top] [All Lists]

Re: SSP outbound signing policy

2005-07-30 10:00:44

Hector Santos wrote:

However, if there was a second signature:

DKIM-Signature: a=rsa-sha1; s=whatever; d=ispoofyou.org;
       c=simple; q=dns;
       h=Received : From : To : Subject : Date : Message-ID;
       b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ
         VoG4ZHRNiYzR;
 Received: from 10.2.3.4-example.com  [10.2.3.4]
       by submitserver.example.com with SUBMISSION;
       Fri, 11 Jul 2003 21:01:54 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; s=key123; d=example.com
       c=simple; q=dns;
       h=From : To : Subject : Date : Message-ID;
       b=ABC....ZYZ;
 From: Joe User <joe(_dot_)user(_at_)example(_dot_)com>
 To: Suzie Q <suzie(_at_)shopping(_dot_)example(_dot_)net>
 Subject: I need your help?
 Date: Fri, 11 Jul 2003 21:00:37 -0700 (PDT)
 Message-ID: <20030712040037(_dot_)46341(_dot_)5F8J(_at_)example(_dot_)com>

And this second signature passes, we still might need to look up the SSP for
example.com because the policy might suggest no further signing was
expected.
This means that the addition of a valid signature to a message with a valid first-party signature could make it invalid. I'd like to understand what problem this solves; it doesn't seem to be protecting against abuse of the original message.

IMO, an additional assertion of accountability for a message shouldn't make it less valid.

-Jim

<Prev in Thread] Current Thread [Next in Thread>