My personal answers.... I don't expect mailsig to replace PGP -- I'll
continue to use PGP to send email to my bank. All I hope to gain from
mailsig is the capacity to reject certain unwanted incoming mail at SMTP
time. Once the message is accepted, mailsig is irrelevant -- the problem
gets solved by a _human_ then anyway, and if you're already showing the
mail to a human, you've already lost.
On Fri, 2004-11-05 at 12:22 -0800, Dave Crocker wrote:
1. Who is supposed to do the signing? That is, what is the "nature"
of the entity doing the signing?
Anyone who passes on the mail, considering it to be of value rather than
just spam. I may trust some of the signatories; I may not trust others.
So I'd like to see it signed by the originator _and_ by mailing lists
through which it passes.
2. What does their signature mean? What "encumbrance" or obligation
does the signatory take on, by doing the signing?
Just that it really was sent (or resent) by them.
3. What is the intended purpose of the signature? What does it
prove and to whom? How is it supposed to be used?
Its _absence_ when it should be present for a given {re,}sender is used
to reject the mail at SMTP time.
4. What is the intended lifetime for a singature? For how long is
it supposed to be valid?
The maximum time that mail stays undelivered on peoples queues before
being bounced. Theoretically unbounced but in practice a week or so.
--
dwmw2