ietf-mailsig
[Top] [All Lists]

Re: Web pages for MASS effort

2004-12-04 11:27:26

Jim,

  There is no requirement that the recipient display the unsigned content
  at the end of a message.  A verifying MTA may remove the unsigned
  content at its discretion.  

By having a mass signature apply only to an initial subset of the message 
content, we are now faced with a cascading sequence of possible mechanisms that 
cause problems or try to get around problems.  When we find ourselves starting 
to discuss whether some text is, or is not, displayed to the user, as a means 
of enforcing a security model, we really do need to step back and look for a 
simpler approach.

It is bad enough that we are forced to compensate for possible format changes 
along a path.  Having to compensate for basic semantics changes, such as the 
addition of blocks of text is far beyond the limit of simplicity that a 
mechanism like this should define. 

We should make the goal of mass to be validation by a receive-side filter.  Any 
dependency or expectation of displays to the user -- nevermind concern for 
having the user somehow decide whether the message is valid or not -- should be 
entirely beyond the scope of this effort.


 >  Requiring those that make changes to resign the message does ensure
 >  this process identifies those accountable. A header could be included
 >  to allow signature validation to be cascaded.

  I agree that it's desirable for those that make changes to re-sign the
  message.  But I think it's undesirable to say that signatures will just
  fail for a large proportion of mailing lists unless that happens.

Why?

Signatures will initially "fail" for nearly all messages, since they won't be 
signed.  Why should we single out one class of message posters and try to 
circumvent their responsibility?


  Then there's the other question you touch on, of whether a signature is
  added or the original signature is replaced.  I'm in the "added" camp
  even though that means we have to define how messages are treated when
  different signatures succeed and fail.

Again we are faced with the question of value for the added complexity at the 
receive side.

We have no history of obtaining successful, widescale use of any signing 
mechanism for email.  That should motivate us to make our current work as 
simple as possible.  

Multiple signatures and rules for interpreting them, guidance for what to 
display to recipients, and any other sort of attempt at heuristic robustness 
works against the goal of simplicity.  It also obfuscates the basic semantics 
of the signature, since it confuses who is responsible.

d/
--
Dave Crocker
Brandenburg InternetWorking
+1.408.246.8253
dcrocker  a t ...
www.brandenburg.com


<Prev in Thread] Current Thread [Next in Thread>