In
<Pine(_dot_)SOL(_dot_)3(_dot_)95(_dot_)990325002454(_dot_)9842A-100000(_at_)elwood(_dot_)innosoft(_dot_)com>
Chris Newman <Chris(_dot_)Newman(_at_)innosoft(_dot_)com> writes:
To be very blunt:
(1) If I want to sign headers, I'll use multipart/signed of message/rfc822.
Fine. You can do that, but it is no solution for some news applications.
(2) MTAs are supposed to ignore headers anyway, so signed toplevel headers
have no value to mail transport systems.
Quite so. The signatures are for the benefit of the end-users.
(3) If I want to sign SMTP envelope information, I'll use
multipart/signed and RFC 2442 with a private agreement for the
transport address/protocol to the recipient MTA. The
alternative hop-by-hop STARTTLS might provide less security, but is
better than none and is deploying well.
Agreed. My proposal says nothing about envelopes.
(4) Any attempt at a canonicalization algorithm for mail header signing is
doomed to failure from the outset. It will be ambiguous, too complex,
or inadequate.
And that is a matter you decide by examining the proposals and finding
holes in them. Not by asserting ex cathedra that no solution exists. I
have proposed a canonicalization algorithm which may or may not work. It
should be examined, discussed, and improved.
So:
(A) I doubt signed headers will ever happen in email.
Time will tell.
(B) If signed headers in email are attempted, I suspect the IESG will kill
the proposal so I don't have to expend energy fighting it.
If the usenet-format people submit a proposal to the IESG, I doubt IESG
is going to kill it just because it _might_ get used in mail as well. If
mail agents want to ignore it, that is their business. All I expect is
that they pass these strange headers through unmunged. If people in the
mail world subsequently find useful things to do with them, would that be
such a Bad Thing? News has found many things in mail that it can adapt
satisfactorily, but the migration of ideas between news and mail should be
a two-way traffic, do you not think?
(C) If a form of signed headers other than (1) is deployed in email, it
probably won't work anyway so I don't have to worry about
implementing it.
Fine. So you are happy to let the news people develop this tool on their
own, and you are not going to complain if it turns out later that they
have omitted some small tweak that would have made it work much better in
mail? That is fine by me. But we shall in any case try to make it as
mail-proof as we can while we are about it.
(D) If signed headers are done only in netnews, they will be removed by
the news->mail gateway, tunnelled through (1), or they likely won't
work in the gateway case at all.
Tunneling will certainly be used in many specific situations, but the
intention is to try and make it work with or without tunneling.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Email: chl(_at_)clw(_dot_)cs(_dot_)man(_dot_)ac(_dot_)uk Web:
http://www.cs.man.ac.uk/~chl
Voice/Fax: +44 161 437 4506 Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5