Hector, Perhaps part of the disconnect here is the question of whether the policy applies to the validity of the message or to the validity of individual signatures.
John's original question is premised on the idea that there may be multiple signatures on a message. Let's take it as a given for now that there may be. The ! (EXCLUSIVE) policy says "Third-party signatures SHOULD NOT be accepted". So if a message with an OA signature and a third party is verified, and the SSP is EXCLUSIVE, then the third-party signature SHOULD be ignored, leaving the OA signature. The message isn't considered Suspicious if the message has a valid OA signature. In other words, it doesn't say "messages with third-party signatures SHOULD NOT be accepted", it says that the third-party signature itself SHOULD NOT be. I agree with many that it doesn't make a lot of sense to put a third-party signature on a message that has an EXCLUSIVE SSP. But I don't see why it should harm the message to do so, so long as applying the new signature doesn't break one that's already there. The verifier has to check SSP regardless (unless it verifies that there is a valid OA signature first); it should be up to the re-signer to decide whether to also check SSP or not. -Jim P.S.: I'll echo Stephen's request for more comments on the threat analysis document. I KNOW it isn't perfect! Hector Santos wrote: > ----- Original Message ----- > From: "Michael Thomas" <[EMAIL PROTECTED]> > > >>> For the EXCLUSIVE policy? Following SSP, it would be a >>> REJECT because the policy says no 3PS should exist. >>> >> That's not what it says. It says: >> >> "! All mail from the entity is signed; Third-Party >> signatures SHOULD NOT be accepted" >> >> In the context, it means that it requires a first party signature. >> It should probably be more explicit on this point. >> > > In the context of the Levine's question, > > Levine: > "if a message has both a signature from the From: domain > and one from someone else, does that pass? Why or why not?" > > Following your SSP draft description as posted above, this would be an > unaccepted condition. > > What is the difference? > > -- > Hector Santos, Santronics Software, Inc. > http://www.santronics.com > > > > _______________________________________________ > ietf-dkim mailing list > http://dkim.org > > _______________________________________________ ietf-dkim mailing list http://dkim.org
