Hector Santos wrote:
However, if there was a second signature:
DKIM-Signature: a=rsa-sha1; s=whatever; d=ispoofyou.org;
c=simple; q=dns;
h=Received : From : To : Subject : Date : Message-ID;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ
VoG4ZHRNiYzR;
Received: from 10.2.3.4-example.com [10.2.3.4]
by submitserver.example.com with SUBMISSION;
Fri, 11 Jul 2003 21:01:54 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; s=key123; d=example.com
c=simple; q=dns;
h=From : To : Subject : Date : Message-ID;
b=ABC....ZYZ;
From: Joe User <joe(_dot_)user(_at_)example(_dot_)com>
To: Suzie Q <suzie(_at_)shopping(_dot_)example(_dot_)net>
Subject: I need your help?
Date: Fri, 11 Jul 2003 21:00:37 -0700 (PDT)
Message-ID: <20030712040037(_dot_)46341(_dot_)5F8J(_at_)example(_dot_)com>
And this second signature passes, we still might need to look up the SSP for
example.com because the policy might suggest no further signing was
expected.
This means that the addition of a valid signature to a message with a
valid first-party signature could make it invalid. I'd like to
understand what problem this solves; it doesn't seem to be protecting
against abuse of the original message.
IMO, an additional assertion of accountability for a message shouldn't
make it less valid.
-Jim