>Under at least one of the proposals, it can be determined that "yes, A >signed the mods, and if the mods are removed to re-generate the original >message, B signed the original message". If we have that, then I think >the question becomes: if this is to be a DMARC-like scheme, how do we tie >A's signature to some kind of relevant header field, since the "From:" >header is already "reserved" for the original signer.
You don't even need to be able to tell what part of the message is attributable to which party. All you need to know is that the first signer considers it to be close enough. Remember the key axiom of mail reputation: you cannot say good things about yourself, only neutral or bad things. (This should be obvious if you think about it for a moment, since any assertion a nice sender can make, a nasty sender can also make.) Good stuff has to come from trusted third parties, and given the difficulty of establishing trust, that means the number of third parties has to be small. Hence DMARC answers the question "is this a bad message?" It only tells you whether a message is so awful that the recipient should throw it away. Once it's passed that test, the recipient then does whatever it does with any other mail to decide how spammy it is and what to do with it.* If the SPF or DKIM identity happens to belong to someone the receiver likes or trusts, that's fine but it has nothing to do with DMARC. That means that if a message has passed through two entities or mediators or whatever, the recipient does not care what part of the message originated where because it's going to deliver or reject the whole message, not the individual parts. If my MTA gets a 419 from a mailing list, it doesn't care whether the list is leaking 419s from the original sender, or the list is 419-izing innocent mail. It's going to bin it either way. That's why I made my double signing proposal the way I did, it's just enough that the original signer can say, yeah, close enough. The other more complex proposals can tell the recipient lots of other stuff, but it's not stuff that is useful to the recipient (except perhaps for exotic forensic purposes) so there's no value to the extra complication. R's, John * - someone will probably disagree with this, but he is wrong _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
