ietf-mailsig
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: transition to MASS, was Why we really don't require requirements

2004-10-10 19:00:13
from [william(at)elan.net] [Permanent Link] 


On 10 Oct 2004, John R Levine wrote:


Some do, some don't.  As I said in other messages, I know of enough mail
applications that don't handle MIME that I am not comfortable writing them
all off.  I also don't know how robust the applications that do handle
MIME are, and how many will break if presented with MIME sections they
weren't anticipating.  This is why we need experiments.


I'll be conducting experiment end of this month on this, if you know of mail
applications that don't handle mime messages at all, please let me know.


mail is going to special gateway and should not be MIME encapsulated. The
easiest way is for MTA to check if email contains "Mime-Version:" header.
If this header is not present then MTA should assume that email is meant
to go to non-mime capable gateway and should not add MASS signature.


That strikes me as an extremely poor way to guess what the user's
intention is.


If you dont think its good enough to indicate intent, we can do it with 
special additional header that says "don't sign this message".


All of my mail is plain text, but Pine correctly puts a
MIME-Version header on it. You can't tell from the message whether I'm
sending it to a MUA that groks MIME or some sort of application that doesn't.


If Pine adds Mime-Version header, that means its MIME email and if you're 
sending to application that does not handle MIME, you should not be doing 
it with Pine or you should ask Pine developers to add an option to let 
user choose to remove "mime-version" to indicate that email would
be going to non-mime compliant system.


Since we have at least one proposal, Domain Keys, that doesn't have any of
this MIME breakage, I don't see any reason to prefer a design that does.


Actually we have 3 proposals that don't deal with MIME and add signature
into header. Of those 3 proposals DomainKeys in my view is the worst one 
of all as far as its design and this is quite easily seen on the comparison
matrix I'm doing.

As far as your protest about possible problems for devices that cant 
handle MIME, I do not think its a strong point and I'm guessing it would 
apply to less then 0.0001% email messages. In fact I'm betting it would 
apply to 10,000 less cases than if we use your preferred DomainKeys 
which signature breaks with all mail lists or if we use SPF which breaks
forwarding (but forwarding servers are more central and easier to upgrade
then all mail lists). 

---
William Leibzon, Elan Networks:
 mailto: william(_at_)elan(_dot_)net
Anti-Spam and Email Security Research Worksite:
 http://www.elan.net/~william/emailsecurity/
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: transition to MASS, was Why we really don't require requirements, John R Levine
Next by Date:  Re: transition to MASS, was Why we really don't require requirements, John R Levine
Previous by Thread:  Re: transition to MASS, was Why we really don't require requirements, John R Levine
Next by Thread:  Re: transition to MASS, was Why we really don't require requirements, John R Levine
Indexes:  [Date] [Thread] [Top] [All Lists]