At 04:13 PM 10/8/2004 -0400, James M Galvin wrote:
Based on the assumption we are working on an end-MTA to end-MTA
signature, I now agree that issue of conveying the security information
is a good one to debate in the working group.
While I agree that message signing and verification will often happen at the
MTA, and is therefore not truly end-to-end, I'd like to make sure that we don't
prohibit the ability to sign or verify (with some time validity restrictions)
at an MUA. I'm not sure you're saying that, but I just wanted to be clear.
On the other hand, someone suggested a MIME encapsulation that would be applied
at the point of signing and removed at the point of verification. That would
not work, because there is no way to know if the recipient's MTA is MASS-aware
and would actually do that. Recipients of such messages that have
non-MASS-aware MTAs would get message encapsulations they (probably) aren't
prepared to deal with.
-Jim