On Fri, 8 Oct 2004, Michael Thomas wrote:
Both are important. We already know that traversal through
many/most mailing lists defeats an "all bytes of body"
canonicalization.
Could you clarify what you mean by "all bytes of body" canonicalization?
That said, I've always thought it would be a great idea to
completely separate out into two distinct tasks:
1) The 2822 layer encoding of signatures for email
2) An identity/service authorization protocol
I agree with this completely. And it would slow us down if we do both #1
and #2 together, so I think charter of this WG should focus exclusively on
#1 and base authorization on simple dns records and/or existing protocol
such as SCVP. But ability to add/extend mail signatures with new service
authorization system should definetly be part of the syntax.
As far as better signature verification protocol I personally want to see
something that combines features of PGP keyserver with SCVP S/MIME service
and in a way that also provides some form of reputation.
The former is the necessary bits on the wire to make email
signatures survive through existing infrastructure, and the
likely compromises that will entail -- very SMTP
specific. The latter is a much more general proposition as
this authorization function may well be used by other
services: there's already questioning on the SIP list, fwiw,
about whether a similar anti-forgery scheme would be
relevant for them.
Quite true so #2 can be thought to be a separate task for IETF and crete
this kind of protocol/service that is relent to identify verifiction
and would apply to email signatures as well as other protocol verification
services.
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net