ietf-mailsig
[Top] [All Lists]

Re: Why we don't require requirements

2004-10-01 08:50:11

What I don't get - and perhaps it's just me in which case I would
appreciate being educated - is how the problem stated in the charter
of this group (adding signatures to email) is a different problem
than has already been solved 5 times over for email?

That's a quite reasonable question.  I hope we all plan to use
existing signing technolgy where possible, but I see three differences
from what MASS wants and what existing signatures do:

The first is what the signature is intended to protect.  S/MIME and
PGP are provide long-term verification.  I can pick a message out of
an archive that's two years old and check the PGP or S/MIME signature.
That's sometimes useful, but it means that the signatures have to be
extremely resistant to all of the stuff that might happen to a message
in transit or storage, and have to be strong enough to resist an
attacker that's willing to leave a key cracker running in the
background for months.  STARTTLS protects a channel, but it's not end
to end and not per-message.  I think the intention in MASS is to
verify a message during an end-to-end delivery process that typically
takes a few seconds, and at the outside takes a week, and (debatably)
doesn't have to survive all of the mangling that might happen to
messages as they pass through mailing lists and the like.  It's not
intended to protect channels or messages in long-term storage.

The second is the level of signing granularity.  S/MIME and PGP sign
at the individual mailbox level, STARTTLS signs at whatever level the
certificate names are, but the proposals for MASS sign at the domain
level.  The goal as I understand it to be able to assign message
responsibility to domains since they're a lot easier to trace than
individuals.

The third is key distribution.  S/MIME and PGP work OK once you have
the keys, but neither has a key distribution scheme that works in
practice.  STARTTLS has no key distribution scheme at all.  A scheme
for MASS has to permit signing key retrieval that is fast and entirely
automated.  DNS seems the most likely distribution scheme, but I could
imagine something using http.

Are these requirements?  I suppose so, but they all seem pretty
obvious in context.

Regards,
John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
http://www.taugh.com


<Prev in Thread] Current Thread [Next in Thread>