Re: Why we don't require requirements



On Fri, 1 Oct 2004 ned(_dot_)freed(_at_)mrochek(_dot_)com wrote:

What I don't get - and perhaps it's just me in which case I would
appreciate being educated - is how the problem stated in the charter of
this group (adding signatures to email) is a different problem than has
already been solved 5 times over for email?


Very nicely put. I'm no longer on the IESG, but if I were the question 
I would want to see addressed in the chater is why this effort is 
expected to succeed in achieving very widespread deployment when the 
many previous efforts in this area have all failed in this regard.


The existing methods of signing email are tied to certain signature
verification achitecture and key distribution where as for S/MIME we
have highly centralized system, for PGP we have web-of-trust architecture.

It seems that we desire new mechanism for signature verification that
ties the signature based on some type of callback (this can be dns,
http, new key verification server, etc) to signer's domain.

Additionally some other features like ability to sign headers are also
wanted. It does seem possible and even likely that these new features
can be implemented on top of one of existing email signing systems
which should allow to reuse already existing base of libraries for some
implementations.

But we also have to be considered of all those using different email 
signing systems (i.e. S/MIME and PGP) and not force one or the other
for every email (i.e. what we do should be able to co-exist with
existing email signing systems). It is unfortunate but true that 
S/MIME and PGP signatures do not co-exist well together in the same
email, but as has been noted this is primarily a problem due to MUAs
which are expecting one and can't always easily discard the other.

    >    -  Automated signing of outgoing messages by any SMTP-initiating
    >       entity.


Not only is this doable with off the shelf stuff already, I believe there are
always specifications in the S/MIME space describing exactly how to do it.


For those who want to see research into automated S/MIME signing, I'd would
recommend the following document:
 http://sconce.ics.uci.edu/sucses/publications/sas_ndss02.pdf 
 
---
William Leibzon, Elan Networks:
 mailto: william(_at_)elan(_dot_)net
Anti-Spam and Email Security Research Worksite:
 http://www.elan.net/~william/emailsecurity/

<Prev in Thread]	Current Thread	[Next in Thread>
RE: charter constraints list, (continued) RE: charter constraints list, Seth Goodman RE: charter constraints list, Michael Thomas RE: charter constraints list, Seth Goodman RE: charter constraints list, Michael Thomas RE: charter constraints list, Seth Goodman RE: charter constraints list, Michael Thomas RE: charter constraints list, william(at)elan.net Re: charter constraints list, ned . freed Re: charter constraints list, Jim Fenton anonymity, Tony Finch Re: Why we don't require requirements, william(at)elan.net <= Re: Why we don't require requirements, Jim Fenton Re: Why we don't require requirements, Dave Crocker Re: Why we don't require requirements, Michael Thomas Re: Why we don't require requirements, william(at)elan.net Re: Why we don't require requirements, David Woodhouse Re: Why we don't require requirements, wayne RE: Why we don't require requirements, Paul Lambert RE: Why we don't require requirements, James M Galvin Re: Why we don't require requirements, william(at)elan.net

Previous by Date:	Re: Anonymous signed mail, william(at)elan.net
Next by Date:	Re: Why we really don't require requirements, william(at)elan.net
Previous by Thread:	anonymity, Tony Finch
Next by Thread:	Re: Why we don't require requirements, Jim Fenton
Indexes:	[Date] [Thread] [Top] [All Lists]