At 09:52 AM 11/7/2004 +0000, David Woodhouse wrote:
My personal answers.... I don't expect mailsig to replace PGP -- I'll
continue to use PGP to send email to my bank. All I hope to gain from
mailsig is the capacity to reject certain unwanted incoming mail at SMTP
time. Once the message is accepted, mailsig is irrelevant -- the problem
gets solved by a _human_ then anyway, and if you're already showing the
mail to a human, you've already lost.
You're lucky to have a bank that understands PGP! This is an important point
-- PGP solves a different problem. Validity of mailsig signatures
(authorization of keys) is under your domain's control, not yours. You almost
certainly don't want the bank relying on that.
I don't agree that mailsig is irrelevant once the message has been accepted.
There are a lot of things that can be done once the message is received, like
to subject messages without a valid signature (and perhaps a good
reputation/accreditation as well) to more aggressive content filtering or other
scrutiny.
On Fri, 2004-11-05 at 12:22 -0800, Dave Crocker wrote:
1. Who is supposed to do the signing? That is, what is the "nature"
of the entity doing the signing?
Anyone who passes on the mail, considering it to be of value rather than
just spam. I may trust some of the signatories; I may not trust others.
So I'd like to see it signed by the originator _and_ by mailing lists
through which it passes.
I think it's going to be problematic to expect signers to make a value judgment
on whether a message is spam or not. In the case of mailing lists, the
signature just means that it came through the list.
-Jim