ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] a bit of philosophy on working group productivity andscope

2005-08-14 15:34:46
Dave Crocker wrote:
But first we need to do *anything at all* that is useful.

....

As of today, there is no standardized transit-time message authentication
technique.  If we can produce a standard that permits validating ANY
identity
with a signed message, we will have created a stable base for all sorts
of enhancements.

Perhaps, but a stable base for future enhancements that will actually have
some utility is not, I would think, something useful.


You seem to have missed the "but first" paragraph.

I think not. I think I'm trying to say that what you defined as minimally useful isn't sufficently useful to be worth the effort of a working group. I think the minimum needs to be higher.


Unless the output of this putative group would at least enable a receiver to
reject a 'bad' message or have more confidence in a 'good' message there is
no incentive for either senders or receivers to deploy.


for some definitions of good messages and bad message.

Yes. Up to the receiver to decide that. I won't even try to come up with a universal definition.


It would seem to me that there is a necessary tie between the identity being
signed, some e-mail identity that end uses actually see, and some type of
sender policy declaration that would allow receivers to have some idea how
to interpret the presence, absence, and validity of signatures.


Quite a bit of useful filtering is done today that does not require the end-user to participate directly and does not involve knowing the sender's "policies" and does not require using the rfc2822.from field.

Yes.  All of which does not require MASS or DKIM.

What I am attempting to say is that I do not believe there is any sigificant value in signing some new, invisible e-mail identity. For it to have value, it needs to relate to a current, visible identity. It also needs to be tied to some sort of sender policy because otherwise there is no reliable way to know what the presence or absence of a particular signature is supposed to mean other than in the case of a valid signature for an identity that is identical to the body From:.

If all I want is a cryptgraphically valid signature, there are other ways to get it.

I thought your thread was about what is the minimum we can accomplish that will be worthwhile. I think that's about as low as the bar goes.

Scott Kitterman





_______________________________________________
ietf-dkim mailing list
<http://dkim.org>

<Prev in Thread] Current Thread [Next in Thread>