"Charles Lindsey" <[EMAIL PROTECTED]> writes: > The scenario you need to consider is where A asserts a policy of "I > sign everything", and sends a correctly signed message to some mailing > list B. > > B can (and should) check that the signature is good, and is consistent > with A's policy, etc. But then B add his standard mailing list > boilerplate "NOTE WELL ..." thus breaking A's signature. He then > signs the message again (as a 3rd party). > > Now the ultimate recipients see A's signature (no longer good), plus > A's policy. So the message is on the face of it "suspicious". So what > is the recipient supposed to do? He is a member of the list, and is > happy to trust the list maintainer, and can check the 2nd > signature. But he is still receiving conflicting advice. > > The only real solution to this problem is for B to add an > Authentication-Results header (see the Mail-Vet-Discuss mailing list), > and to incluide that header in is own signature. Maybe that is > veering off topic for this list, but at least there should be a > pointer to that sort of possibility.
If A had used 'l=' and assuming the boilerplate is added to end of the message and that B does not change the headers (eg to add [listname] at the start of Subject:) then A's and B's signatures should both validate. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
