ietf-mailsig
[Top] [All Lists]

Re: Narrow the scope: no new email signature protocol

2004-10-06 07:02:16


On Tue, 5 Oct 2004, Dave Crocker wrote:

If i have understood the concerns correctly, the suggestion is to 
use s/mime or pgp because they are well-established.  

There are observations that s/mime and pgp do not 

      a) protect headers
      b) use domain-scope identification
      c) DNS-based key validation (or acquisition)
    d) header-based attribute encoding

The response I am hearing is that there are no inherent 
difficulties in making the changes to s/mime or pgp to cover 
these.

I am not understanding how "making the changes" differs from a 
design and development effort.

It is a "design and development effort" but its may well be less of an
effort then "new design and development". Please do make sure to point a
difference instead of implying its one and the same.

There is a reason why so much is build on existing infrastructure - 
it saves time on development and lets use existing set of libraries for
multiple tasks.

And if I understand correctly, it has always been IETF goal to limit 
fundamental set of core protocols and allow new ones to build upon them. 
This is the reason for BEEP as a way to build core for other XML based 
protocol, this is a reason for TLS and way to build channel-based 
encryption for other  protocols and I can name few more examples. 

Now do you really think its easier to add encryption into protocol by 
revinventing TLS  or is it easier to use use existing documented way and 
existing set of libraries? So, if we can build upon existing base - 
we should!

So I am not understanding what the benefit is, in starting with 
systems that have poor usage histories

Usage histories are poor because they relay on educating large base of 
hundreds of millions of end-users about how to use S/MIME or PGP. If we 
relay on MTAs and automated this task, the only people to educate are 
mail server admins and this I believe is achievable since these techs
are a lot more fluent in what secure email communication is all about.

---
William Leibzon, Elan Networks:
 mailto: william(_at_)elan(_dot_)net
Anti-Spam and Email Security Research Worksite:
 http://www.elan.net/~william/emailsecurity/


<Prev in Thread] Current Thread [Next in Thread>