On Mon, Mar 22, 1999 at 10:51:22AM +0000, Charles Lindsey wrote:
In <36F26494(_dot_)C2144A88(_at_)cis(_dot_)ohio-state(_dot_)edu> Dave Barr
<barr(_at_)cis(_dot_)ohio-state(_dot_)edu> writes:
Quite so. Please can we STOP discussing the details, and get the politics
right first. I am disappointed that none of the IETF gurus (esp. those on
the ietf-822 list) have responded with the advice I asked for. Don't the
mail people care? Are they happy that the Usenet list alone should
prepare a draft that affects both news and mail?
The reason they perhaps ignore it is they already have a couple of standards
on the table, with working implementations in some cases. These include
S/MIME and multipart/signed, as well as a PGP form. The chances of them
taking another as a draft are slim to nil.
But since there are a lot of big advantages to a signed header scheme (along
with some disadvantages when it comes to mail) if USENET adopts one it is
entirely possible that some mail tools would also adopt one, especially
any merged tools. And it would do an end run where it becomes popular.
USENET and mail have some needs in common, but a few big differences
will make unification unlikley at present:
a) Mail doesn't care nearly as much if the signatures are bulky
and the certificates are bulkier. Typical signed E-mail
certs in S/MIME with X.509 can be multiple kilobytes -- the size
of the average USENET post. But they are only sent once or
a small number of times. USENET posts, duplicated 100,000 times,
have a reason to avoid doubling.
b) Mail has pretty fully moved to MIME support. MIME messages are
very common, even though it isn't quite universal. As such,
MIME based signing standards don't look ugly to mail users, nor
does their bulk cause much trouble.
c) With mail you know of and control who receives your mail. Thus
mail can happily support multiple competing methods, as long as
the sender and recipients of each *specific* mail message
understand the signature and certificate space. With USENET,
we have the "Highlander" problem -- "There can be only one."
d) With mail, verification will be done by MTA or client (however
MTA is safest) but there are no intermiediate points that want
to verify, unlike news where all relayers SHOULD verify. So there
is less load problem and more choice.
As such, while a USENET suitable system would work fine for mail, we're too
late. Mail people have already designed systems that work in mail but won't
in USENET. We must design our own system, and let mail people decide if they
would also like it.