Dave Crocker wrote:
Let me explain why: When standards do things to encourage heuristics, the
utility of the service becomes more and more a question of stochastics. That
means that there is no real reliability to whether things will work. People do
whatever they feel like and recipients are left trying to guess what the sender
chose.
Presuming you're referring to features like canonicalization, body
length count, and header copying, in IIM there is no ambiguity as to
what the sender chose. It is all spelled out in the signature header:
the type of canonicalization used, the copies of the headers, and the
number of bytes signed by the sender. What is left to guesswork?
Heuristics make sense when there are no standards. But the purpose of a
standard is to define precise, predictable behaviors, and that means
constraints.
I'm still not in agreement with the description of these mechanisms as
"heuristics", but in any case there are enough widely-deployed
interpretations of email behavior that in many respects we are operating
in the absence of standards. Shouldn't we be defining something that
works for recipients (i.e., returns a positive result when it's fairly
clear that the message hasn't been spoofed)?
I'm receiving a certain amount of DK-signed mail now. Virtually none of
it verifies successfully because it has passed through a mailing list
that did something (usually minor) to the message. And, various press
releases notwithstanding, even Yahoo! Groups isn't signing their mailing
lists. Requiring mailing lists, in all cases, to sign their messages
greatly slows the usefulness of any signature mechanism.
And this is why it is increasingly clear to me that we should not be trying to make the mechanism be robust against intermediaries that make arbitrary changes. Ultimately, that's an arms race. The intermediaries do more and more arbitrary stuff and we do more and more to try to guess how to protect against it.
Describing it as an "arms race" implies that the operators of mailing
lists are actively working to defeat signature-based mechanisms, which
is not the case. We aren't trying to track intermediary behavior going
forward, just to accommodate widespread legacy behavior.
-Jim