----- Original Message -----
From: "william(at)elan.net" <william(_at_)elan(_dot_)net>
To: "Hector Santos" <hsantos(_at_)santronics(_dot_)com>
And I see no point to that given no requirements for signatures to be
present from the sender site.
The point if it is present that it need to be consistent.
Not sure which you are referring too?
FAIL verify, EXCLUSIVE?
FAIL 3PS verify, EXCLUSIVE?
If policy is EXCLUSIVE then if it fails to verify the result is reject,
you have it as warn (your welcome to also send a warning to sender that
the signature failed but it does not change that signature MUST NOT be
accepted).
Maybe the following was missed:
For the policy:
OPT Optional Signing
REQ Required Signing
3PS 3rd party Signed or Allowed
For the Signature Verify Results:
NONE No signing in the message.
PASS signature verify passed, signed by OA
PASS 3PS signature verify passed, signed by 3rd party
FAIL signature verify failed, signed by OA
FAIL 3PS signature verify failed, signed by 3rd party
I wasn't trying to be too specific on the warning, but only to show what was
in the middle of a spectrum between 100% ACCEPT vs 100% REJECT automation.
I consider the EXCLUSIVE, FAIL 3PS, as a reject because EXCLUSIVE does not
allow for 3rd party signatures.
On the other hand, I subjectively labeled EXCLUSIVE, FAIL as a WARNing
because you don't know why it failed. Was it because the mail integrity was
broken? Did it expire? This might not be a reject, but simply a "warning",
or a red-flag or feed for a spam scorer.
I think the broken integrity issue with DKIM will probably be the common
issue with it.
If policy is STRONG and message's only signature is from origin and it
fails to verify then the result should be exactly the same as above
- you have it as "warn".
Same as above. STRONG allows for both OA and 3rd party signing. So as long
as it the consistency test first, then you really don't know what the
signature verification failed The possible broken integrity issue again.
If policy is STRONG and there are two signatures and both fail to verify
then the message SHOULD NOT be accepted (and warning can again be sent).
Right, it gets more complicated with layers. The Signature Verify column
assumes 1 or more levels of signatures either failed or passed as a whole.
If one fail, that failed the multiple signing.
But no doubt, the table grows with multiple signatures. I think it can be
filled. The point is that it must be consistent.
A good example is EXCLUSIVE has no 3rd party signing regardless of how many
layers. A NEUTRAL or STRONG which allows 3rd party signing simply needs to
be consistent. I am not sure if 2 signatures failed for a STRONG, if its
just be rejected because of the broken integrity issue.
What if the OA layer PASSED, but the 3rd party Layer FAILED? Does the inner
layer prevail?
Maybe DKIM needs to separate the signing concept into a SHA1 + RSA. Where
maybe the SHA1 is saved in the DKIM-Signature: so that verifier can see if
its going to hash correctly? Atleast that way, you will be able to tell how
it failed. No?
BTW - In general I had hard time distinguishing in your matrix situations
with two signatures (one direct and one 3rd party) and when in such
situations only one of the signatures verifies.
Sorry, I used 3PS to reflect 3rd party signing. I only posted a summary of
my analysis report which has legends and modeling, including pseudo code. I
wanted to test the waters first, thinking I was going to be ignored anyway,
and I was. So I do appreciated your comments. But I won't waste any more
time if none of the key cogs are interested.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com