Arvel Hathcock wrote:
What I'd like to know is whether Dave's view has any support
or not. There are many people who haven't commented on this topic.
I believe that message signatures have value in themselves.
While that value can be enhanced, depending on such things as the
relationship of the signer to the sending domain, or the assessment of the
trustworthiness of the signer, these enhancements build on the basic
presence of a verifiable signature.
Local policy can also be used to manage the extent to which trust is
extended to signatures where the domain of the signing entity is not the
same as (or a sub-domain of) the originating address, or to messages that
are not signed when the bulk of messages from that originating domain are
signed.
Even usage over time allows any signature to acquire a degree of trust
without any other external reference, much as happens in with other
communications channels (eg postal, phone).
Provided the DKIM standard specifies suitably flexible mechanisms for
extension, then other value adding services and alternatives can be combined
with the basic signature to make its deployment more useful and probably
more cost-effective.
It would be ideal if the working group can produce some of these additional
components as well as the basic signature mechanism. However, it appears as
though there is still a lot of substantive discussion to get agreement on
these items, and meanwhile, the basic signature standard is languishing.
Perhaps taking a first step would be productive.
--
James
_______________________________________________
ietf-dkim mailing list
<http://dkim.org>