[Top] [All Lists]

Re: making mail traceable

2004-01-19 15:57:29

On Jan 19, 2004, at 4:41 PM, Markus Stumpf wrote:

On Mon, Jan 19, 2004 at 12:18:14PM -0500, Keith Moore wrote:
It also depends on what is included in the hash.  I believe it will be
necessary to omit some information from the hash in order to get the
hash to survive most existing mail transports. I don't think this is a
problem as long as we don't treat the originator-id tag as a digital

IMHO it is a question of what one wants to accomplish with the signature.
If it's end-to-end, aka MUA <> sMTA <> rMTA <> MUA signatures are nice
to have, but as I can trust my rMTA's Received: line about the sending MTA
it is not of much additional information.

it's a moot point. it's much easier to make e2e sigs work than to make hop-by-hop sigs work.

I don't think it is an easy task to find information to add to the hash.

- subject field (perhaps truncated to XX bytes)
- message body
- source IP address and port
- precise date/time (not the Date header field)
- *maybe* some form of the envelope recipient list

Adding the body of the email to the hash is also playing vabanque as
e.g. mailing lists add trailers to the message and break the hash.

interesting point that. but if the body is the last thing to be hashed you may be able to recheck the hash at every line boundary. you might also have the id field include the
number of bytes from the body that are hashed.