On Tuesday 01 August 2006 09:57, John Levine wrote: > >> In my book it's the same as A signed by A. The only concern I would > >> have is if B added content, what to do about that, I'm not sure. > > I'd appreciate a concrete example where B adds and signs content without > breaking A's signature. > > There's a few scenarios that have come up: > > * The first signature has l= and B adds stuff at the end. > > * The first signature didn't have MIME headers and B adds them, > perhaps making a lot of the original message invisible in a newly > defined MIME part. > > Note that these two are easy to defend against: always sign MIME headers, > even if there aren't any, and don't use l=. > > If people think there are other scenarios where a second signer can > make signficant changes to a message without breaking an existing > signature, we have worse problems than SSP. > No, those are the things I was thinking about. Probably not a significant issue, but I thought it worth mentioning.
Scott K _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
