----- Original Message -----
From: "william(at)elan.net" <william(_at_)elan(_dot_)net>
To: "Hector Santos" <hsantos(_at_)santronics(_dot_)com>
Cc: "IETF-MAILSIG" <ietf-mailsig(_at_)imc(_dot_)org>
Sent: Tuesday, August 02, 2005 5:15 AM
Subject: Re: DKIM Verification Algorithm
On Mon, 1 Aug 2005, Hector Santos wrote:
[2] Arvel suggested another policy called WEAK which satisfies a
signature optional but not allowing 3rd party signers.
What is a reasoning behind the need for such option?
I see none since if signature is optional somebody who is trying to
pretend to be you need not resign the email - he can just go ahead
and use your existing email removing your signature from it (or compose
new email pretending to be you).
Of course, I can see the same thing happening with any relaxed policy.
I believe it (WEAK) offers a stronger policy than NEUTRAL which does allow
for a 3rd party signer and a lower trust. Atleast with the WEAK, it
protects against 3rd party signing (if detected).
+------------------------------------------------------+
| Sender Signing Policy Result |
+-----------+----------------------------------------------+-------|
| result | WEAK | NEUTRAL | STRONG | EXCLU | NEVER | NONE |
| verify | OPT | OPT/3PS | REQ/3PS | REQ | | |
+-----------+--------+---------+---------+--------+--------+-------|
| NONE | accept | accept | reject | reject | reject | accept|
|-----------+--------+---------+---------+--------+--------+-------|
| PASS | accept | accept | accept | accept | reject | warn |
|-----------+--------+---------+---------+--------+--------+-------|
| PASS 3PS | reject | warn | accept | reject | reject | warn |
|-----------+--------+---------+---------+--------+--------+-------|
| FAIL | warn | warn | warn <.-+> warn | reject | warn |
|-----------+--------+---------+-------+-+--------+--------+-------|
| FAIL 3PS | reject | warn | warn <|-+> reject| reject | warn |
+--------------------------------------+---------------------------+
| ^
these all should be reject -+ |
|
warn from this column are unclear to me
Not sure which you are referring too?
FAIL verify, EXCLUSIVE?
FAIL 3PS verify, EXCLUSIVE?
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com