On 2 Oct 2004, John Levine wrote:
and (debatably) doesn't have to survive all of the mangling that
might happen to messages as they pass through mailing lists and
the like.
This I STRONGLY STRONGLY disagree. The system MUST be able to work
within current email infrastructure and not break it. That means
the signature must survive emails and forwarders and all other
common email retransmision systems.
This is exactly the kind of war by proxy that I was referring to.
I agree that it is desirable that a signature be resistant to mangling
as a message is forwarded and reformatted. On the other hand, I also
think it is desirable that a signature cover the headers that are
likely to be displayed to the user.
I happen to agree that that as well!
Unless we think we're vastly smarter than the people who designed
S/MIME, their experience tells us that we can't have both.
That is the part I disagree with, I think we can in fact do both.
They worked hard and came up with a scheme that signs message bodies in
a robust way but in view of the amazing variety of ways that MTAs and
MUAs mangle headers (Exchange and Outlook are the poster children here),
they left headers entirely out of the story.
My view of this is that some headers (Subject, From) will have to be
included in the signature in their entirety.
A requirement that signatures be mangle-proof is in practice saying
that the scheme be S/MIME, give or take signature granularity and key
distribution. I'm not ruling that out, but I'm sure not willing to
rule it in at this point either.
I did not say that scheme must be S/MIME. I think its possible for it to
be mangle-proof and not be S/MIME, I'll comment on point separately.
That's why I think we should accept a generally worded charter such as
the one that Dave C has written, and go ahead and look at the merits
of the actual proposals rather than having airy discussions about what
a hypothetical signing scheme should do.
In my view it is way too early to look at the proposals until we know what
we want. And in any case we have to work on group charter right now.
I concur that it's possible that none of the proposals will prove
adequate, but I think we can burn that bridge if and when we come to it.
Not a good scenario to have chose to work on something and then find it
does not work as you want. Come to think of it, this is part of the reason
why MARID failed too.
I'd like an automobile that costs nothing, protects the occupants from
injury in any possible type of accident, gets a thousand miles to the
gallon, and has no effect on the environment, but making those my
requirements isn't going to help me buy a car.
Of course requirements have to be realistic and something that can be
achieved. Obviously "thousand miles to the gallon" or "costs nothing" is
not realistic. That it has little effect on enviroment and protects the
occupants from injury are however realistic requirements.
---
William Leibzon, Elan Networks:
mailto: william(_at_)elan(_dot_)net
Anti-Spam and Email Security Research Worksite:
http://www.elan.net/~william/emailsecurity/