On 23 Sep 2004, John Levine wrote:
I think we all agree that the goal is to define or create a scheme in
which senders can put signatures on mail messages and recipients can
verify them.
This all depends what you define sender to be.
I would limit it only to that email servers put signatures and other mail
servers and recepients can verify it. Putting signatures by "senders"
is already covered by S/MIME and PGP.
The recipients need some way to fetch the verification
key. Do all the schemes use DNS for that, or are there others?
Yes there are.
Cisco Identified Mail is using web based verification.
MTA Signatures is not bound to one signature verification system at all
and designed with ability to support ones that are based on http, beep,
dns, etc. I described two basic methods to start with - dns and web based
certificate retrieval and next one I'm going to describe is SCVP based.
For future I would envision system to be some key verification server that
can run on either httpd or beep (including beep over udp - as alternative
to dns) and can support "web of trust" verification.
It is my impression that one large vendor prefers to to verification
and perhaps signing in the MUA, while all the rest prefer the MTA.
Correct. Seems only Verisign wants MUAs
---
William Leibzon, Elan Networks:
mailto: william(_at_)elan(_dot_)net
Anti-Spam Research Worksite:
http://www.elan.net/~william/asrg/