In an offlist exchange with Doug I asked him whether he thinks the following scenario is an example of his perceived problem with ssp. He said it is an example, so I wanted to check with the list about this.
1. Alice works for Alice-Corp who publish a policy to the effect that they and only they sign all their outbound mail. 2. Alice posts a message to Foo-list which signs the message itself and drops Alice's signature. 3. Bob receives the message from the Foo-list, signed by the list. 4. Bob looks up Alice-Corp's ssp assertion and considers the message as having a bad signature. 5. In order to allieviate this problem Alice-Corp are forced to weaken their policy to allow 3rd party signatures to be accepted by Bob. So, is there an error in the above? (E.g. does the problem go away if both signatures are maintained with the message, or does it just get more messy, but remain a problem.) If the above is possible, how should/can it be avoided? Note: even if this is a valid problematic scenario, I don't believe we need to fix it right now, but we should recognise it as a problem that needs solving. Stephen. _______________________________________________ ietf-dkim mailing list http://dkim.org
