[From the "semantics of the signature" thread]
At 04:16 PM 10/7/2004 -0400, Andrew Newton wrote:
On Oct 7, 2004, at 2:36 PM, Jim Fenton wrote:
We should probably break that question down into (1) whether a MIME
encapsulation must be required for all signed messages and (2) choice of
keying model (certificates, web of trust, etc.). IMO there are enough
problems with issue (1) that we don't need to go further.
For those of us that do not know better, what are the problems with MIME
encapsulation?
Mark covers a lot of that territory in
http://www.imc.org/ietf-mailsig/mail-archive/msg00225.html to which I will add:
The question is not whether MIME is permitted; it is whether MIME MUST be
wrapped around the body of every signed message. The question for me is not so
much what percentage of MUAs aren't MIME-aware, but whether this mandate would
disenfranchise even that (arguably small) percentage.
Here's something that happened to me the other day. A friend asked me to send
her some pictures of her kids in a PGP-encrypted message. I sent the pictures
as attachments, and she got the message but not the attachments. I sent them
to myself and after decrypting it was faced with the ASCII form of the enclosed
MIME, and was presented with the pictures in base-64. I'm clearly not using
the latest and greatest version of my MUA, but I suspect I'm fairly typical.
If we're going to wrap the body of a message in MIME, creating a multilevel
MIME message, we are likely to make MIME work a lot more poorly for many people
than it does today.
Finally, I expect that the signature semantics issue that we have been
discussing would mean that we wouldn't end up with real S/MIME or real
PGP-MIME, but a different MIME type entirely that expresses the fact that the
signature means something else. I would be interested in knowing how that
would impact the deployment of a MASS solution, in particular whether it would
require users to upgrade their MUAs.
-Jim