At 03:08 PM 4/13/98 -0400, David P. Kemp wrote:
_____________ _________
| _________ | | Content |
| | Content | | |- - - - -|
| |- - - - -| | | Label X |
| | Label X | | |- - - - -|
| |_________| | | Label Y |
|- - - - - - -| |_________|
| Label Y |
|_____________|
This is a great picture of the problem with your advocacy of the scenario
on the right. On the left, the security processing software knows exactly
who the originator of the content is and can choose whether or not to honor
Label Y based on that knowledge. In your scenario, the processing software
has no idea which label was applied by the original signer.
Assume that the recipient's processing software has a policy that says "if
you don't understand a security label, toss the message if that label was
issued by the sender but ignore the label if it was added somewhere else".
In human terms, this says "ignore outer security information but pay
attention to the sender's wishes". This works fine for wrapping and fails
completely with signerInfo stuffing.
Basically, we have to trust the sender to specify their wishes.
--Paul Hoffman, Director
--Internet Mail Consortium