On Sat, 9 Oct 2004, Jim Fenton wrote:
At 01:44 PM 10/8/2004 -0700, william(at)elan.net wrote:
On Fri, 8 Oct 2004, James M Galvin wrote:
I am still opposed to an end-to-end email signature mechanism, more
precisely, an end-user to end-user mechanim. I still believe that to do
so would be re-inventing secure email.
It would if you built completely new signature system like Yahoo and
Cisco want. But if we extend on S/MIME its just a way to use existing
secure email technology in new application (that may require new
extensions for it to work properl for our design).
If you think that Identified Internet Mail and DomainKeys are strictly
end-user to end-user mechanisms, I think you misunderstand. This is
discussed to some extent in section 4 of
but in rereading it could probably have been clearer. I will try to fix
that in the next revision. Signing and verification can be done in the
MUA, or can be done in an MTA (and not even the first/last hop; it just
has to be an MTA within your own trust domain).
I'm not sure where you got the idea that I think they are stricly end-user
mechanisms. I've read fully both your draft and domain keys draft and think
they are primarily designed for MTA just like pretty much every other
proposal we have on the table. At the same time all these proposals can
in theory work if signature is added by MUA too.
My original comment is that majority of proposals are reinventing secure
email, something that we've already worked on for last 7 years and came
with some results (two standards are well tested and used, unfortunetly
unfortunetly they require all MUAs to be upgraded to support the standard
the sender is using and that together with necessity to educate hundreds
of millons of users on how to use it caused very slow adaption). I believe
that its better to instead try to use what we've already got and make
whatever changes are necessary to be able to use existing email standard
for primarily MTA to MTA email signing system.