Andrew Newton writes:
Finally, something we can agree upon. The thing that is new here and
is the agent of change is the key distribution and not the method of
providing email signatures.
Both are important. We already know that traversal through
many/most mailing lists defeats an "all bytes of body"
canonicalization.
That said, I've always thought it would be a great idea to
completely separate out into two distinct tasks:
1) The 2822 layer encoding of signatures for email
2) An identity/service authorization protocol
The former is the necessary bits on the wire to make email
signatures survive through existing infrastructure, and the
likely compromises that will entail -- very SMTP
specific. The latter is a much more general proposition as
this authorization function may well be used by other
services: there's already questioning on the SIP list, fwiw,
about whether a similar anti-forgery scheme would be
relevant for them.
Mike