On Tuesday 01 August 2006 10:00, John Levine wrote: > >As I read the later case, the only signature present (C's) is not one that > > is included in A's SSP. In this case we have a message with a signature > > that is outside the scope what A has said is authorized (or not included > > in A's authoritative list). If A is a high profile phishing target and > > signs all of it's mail, then it would be useful (I think) for receivers > > to recognize that the message has been signed by someone other than who A > > said it would. > > Why do you want to prevent people from forwarding genuine, unmodified > messages? That's a feature, not a bug. > In this scenario, A has said that it signs all it's messages and it's signature is not verifiably present. I don't want to prevent people from forwarding genuine unmodified messages. This is a case where a signature that the SSP of A has said is to be expected is missing, not standard forwarding.
> If ebay sends a message with a valid ebay signature, how can any chain > of forwarding and added signatures change the fact that it's a real > ebay message? Let's assume that ebay has enough sense to sign its > MIME headers and not to use l=, so the message that's delivered is the > same one that was sent. > Agreed. As Stephen pointed out, it's the absence of A's signature that is the real point I'm driving at. Scott K _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
