On Fri, 8 Oct 2004, Dave Crocker wrote:
> First, developing an end-user to end-user signature mechanism
> is explicitly out-of-scope.
> Second, the purpose of this working group is to develop an
> end-MTA to end-MTA signature mechanism.
Presumably you see major architectural, semantic and operational
distinctions between placing these functions in the end MTAs,
versus permiting them to be various locations, including MUAs.
Please explain.
It's not about where the implementation is located, it is about the
service provided. So, I don't see major issues but there are some
points worth discussing.
Certainly the most logical place to implement an end-MTA to end-MTA
signature mechanism is in the end-MTAs, but I'm open to exploring other
options.
The receiving side seems pretty straightforward to me. If the receiving
MTA leaves the signature present then I can imagine recipient MUAs
making use of that information. How much use depends on how we resolve
the issue of lifetime of the signature.
On the sending side, it still seems incongruous to me to have the
sending MUA create the MTA signature, but I'm open to discussion on the
point. The user is presumably in the domain and perhaps they do have
access to the private key of the domain. I haven't thought this through
completely yet....
Jim