On July 31, 2005 at 14:46, Jim Fenton wrote:
The first signature is not made invalid if the second signature
can specify its role; i.e. the second signature is not bound
to the OA.
And even with that, if the second signature is binding to the
OA, it is invalid if the OA SSP disallows 3rd-party signing. This
should have no effect on the first signature.
If the second signature binds to the OA, it is not a third-party
signature, it is a first-party signature. A third-party signature is a
signature that does not bind to the OA. So the third-party signing
policy is irrelevant.
I think we see the term "3rd-party" differently. I view the term in
association of an entities relationship with the OA. If an entity
is the OA, or an official agent of OA operating in the same domain
(due to legal agreement), the entity is first-party.
3rd-party is any other entity.
A "3rd-party signature" is a signature created by a 3rd-party that
is either bound to the OA or to something else.
In the examples provided other messages, a mailing list owner would be
a 3rd-party. And in this case, a list owner may want to sign messages
where the signature is bound to the message as it is redistributed
to subscribers. This 3rd-party signature is bound to the list owner
address and not the OA. In this case, the OAs SSP does not play
a role.
If the list owner attempts to bind the signature to the OA, the OAs
SSP plays a role, and if 3rd-party signatures are forbidden, the list
owner can create such a signature.
Am I off base here? Regardless, the term "3rd-party" must be clearly
defined in the DKIM SSP so verifiers can properly honor SSPs. Also,
it should be clear when one is refering to a "3rd-party entity"
versus a "3rd-party signature".
--ewh