On Sun, 10 Oct 2004, John Levine wrote:
>I am trying to understand the model, which I thought I came around to
>realizing was a domain-based signature primarily managed by MTAs. If
>I've got that wrong then where did I lose it?
It is indeed a domain-based signature primarily managed by MTAs. It
sounds like the problem is that the rest of us are assuming that it
has to interoperate with the existing e-mail world. That is, if one
of us implements MASS and the other doesn't, and I send you mail or
you send me mail, the result must not be significantly worse than what
happens now. Also, "managed by MTAs" does not mean the same thing as
If this is truly where we are, then as far as discussing what should be
in the Charter for this working group I'm satisfied and will stop
talking. However, I do not believe the current Charter reflects this
problem space very well. Or rather, to put it the other way, the
Charter does not constrain the work to this problem space.
I'd be happy to "put pen to paper", but I would pretty well gut the
current Charter if I did that, and I don't think that's fair to the
folks who originally proposed this work and the work they have already
put into it. I know that's at least Dave Crocker but presumably he's
not doing this alone. The point is, I don't know if I am aligned with
those who wanted this working group or not.
Your paragraph above is an excellent starting point for the Charter, in
Separately, I do want to comment briefly on the issue of
interoperability. Multipart/signed was designed expressly to be
backwards compatible with non-MIME-aware email components. Consider
that the content that was signed appears first and the security
information second, so as not to distract "backwards" components.
To be sure, backwards compatibility is not perfect but it is workable.
And, if you consider that most modern MUAs are, in fact, MIME aware,
perhaps the issue is not so bad on that side. (I have not forgotten the
embedded message/* issue.)
In addition, MTAs may not be MIME-aware but insofar as they "handle"
virus scanning, they are more than capable of dealing with the solution
to this problem space. The only reasonable way to do virus scanning is
to break a message into its parts and scan each part. An MTA either
does this or knows how to "call a tool" that does it. Same for this
Nonetheless, I understand the issue. I know that we can choose to do
things without MIME because we believe that in the "big picture" that's
better. I'm okay with this, i.e., it's a point worth debating in the
working group. I'll just point out that doing it without MIME does not
mean doing it without PGP or S/MIME. That's a separate point worthy of
debate in the working group.