In <36F26494(_dot_)C2144A88(_at_)cis(_dot_)ohio-state(_dot_)edu> Dave Barr
<barr(_at_)cis(_dot_)ohio-state(_dot_)edu> writes:
I am disappointed that none of the IETF gurus (esp. those on
the ietf-822 list) have responded with the advice I asked for. Don't the
mail people care? Are they happy that the Usenet list alone should
prepare a draft that affects both news and mail?
To be very blunt:
(1) If I want to sign headers, I'll use multipart/signed of message/rfc822.
(2) MTAs are supposed to ignore headers anyway, so signed toplevel headers
have no value to mail transport systems.
(3) If I want to sign SMTP envelope information, I'll use
multipart/signed and RFC 2442 with a private agreement for the
transport address/protocol to the recipient MTA. The
alternative hop-by-hop STARTTLS might provide less security, but is
better than none and is deploying well.
(4) Any attempt at a canonicalization algorithm for mail header signing is
doomed to failure from the outset. It will be ambiguous, too complex,
or inadequate.
So:
(A) I doubt signed headers will ever happen in email.
(B) If signed headers in email are attempted, I suspect the IESG will kill
the proposal so I don't have to expend energy fighting it.
(C) If a form of signed headers other than (1) is deployed in email, it
probably won't work anyway so I don't have to worry about
implementing it.
(D) If signed headers are done only in netnews, they will be removed by
the news->mail gateway, tunnelled through (1), or they likely won't
work in the gateway case at all.
Whatever happens, the issue isn't sufficiently compelling to merit wading
through hundreds of long email messages.
- Chris