On October 13, 2005 at 18:58, John Levine wrote: > >3. If it decides that it should pass, the mailing list should LEAVE the > >existing signature (that part is not universally agreed on, of course, > > Since the signature won't verify any more, I don't see the point.
If the data hash was a separate parameter in the DKIM-Sig field and only the DKIM-Sig field is what is digitally signed, then there can be some value in leaving the existing signature. Of course, verifiers cannot put any weight to the field if the data hash fails, but it can be useful for trace and auditing purposes. > There have been some proposals to standardize a header that a verifier > could add to say that it found a good signature, and the outgoing > signer could sign that, but I'm not sure that's any more useful in > practice. With the data hash separate, the list software can include the existing DKIM-Signature in its data hash. This tells the recipient that list software verified the original signature before sending the message out to subscribers, and the recipient can still verify the cryptographic signature of the original signature. --ewh _______________________________________________ ietf-dkim mailing list http://dkim.org
