I too have yet to hear a cogent explaination why S/MIME with appropriate
header information included under the signature would not handle this
problem.
Add in a usable key distribution scheme and you might have a winner.
I agree the main thing that we need beyond existing signature schemes
is key management.
Why not tunnel the e-mail message body and its "origin" e-mail header
info into a S/MIME payload, sign it, then add a new outer tunnel
e-mail header in front of that payload, and then e-mail it?
Because it looks revolting in current MUAs. I just tried it; since
the only popular use of encapsulated messages is MIME digests, MTAs
don't do a very good job of making the inside messages look like a
normal messge. Some (Thunderbird) show the inner message in-line but
without any of the header handling options you normally get, others
(OE and Pine) show a list of inner parts which you have to click
through to see the message.
I realize that upgrading MUAs will fix this problem, but I think that
we'd prefer something that would be less of a problem for people who
haven't upgraded.
That needn't rule out S/MIME. I could other ways to add header fields
into the goop in the signature without re-encapsulating the whole thing.
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"More Wiener schnitzel, please", said Tom, revealingly.