> By having a mass signature apply only to an initial subset of the
> message content, we are now faced with a cascading sequence of
> possible mechanisms that cause problems or try to get around problems.
> When we find ourselves starting to discuss whether some text is, or
> is not, displayed to the user, as a means of enforcing a security
> model, we really do need to step back and look for a simpler approach.
I don't know how to build a signature mechanism that self-destructs
when it goes through a mailing list,
Actually, what is being discussed is an attempt to negate the self-destruction
that *does* happen. The semantic modifications performed by some/many mailing
lists destroy the validity of the signature.
Still, I can't figure out where you came up with the self-destruct issue or how
it relates to the discussion.
If it's not possible to build a signature that self-destructs, I don't
know how you propose skipping a discussion of what's supposed to happen
when multiple signatures occur in a message and 'something' needs to
Multiple signatures mean that a new signature creature does not remove old
ones. We can do something about that in the spec, just as we can specify that
a 'validated' header should be removed when the message leaves the
administrative trust domain.
> It is bad enough that we are forced to compensate for possible format
> changes along a path. Having to compensate for basic semantics
> changes, such as the addition of blocks of text is far beyond the
> limit of simplicity that a mechanism like this should define.
If you want the signature to not survive having text added ("to
unsubscribe, email me"), that's one requirement. If you want the
What is the limit of modifications that are to be compensated for? Why? What
justifies "compensating" for any semantic modification to the message? What
about the security hole this leaves, permitting spam to be appended to the
message?
Are you wanting an SPF/BATV/SES-like approach for MASS's signature?
I do not understand what you are referring to.
> Signatures will initially "fail" for nearly all messages, since they
> won't be signed. Why should we single out one class of message
> posters and try to circumvent their responsibility?
Why? Because two users who otherwise are signing and validating their
messages can't control an intermediate third party's mailing list which
isn't signing its own outgoing messages.
This puts forward a model of the mailing list as merely a misbehaving relay.
It is more than that.
It modifies the original message and posts a new one.
d/
--
Dave Crocker
Brandenburg InternetWorking
+1.408.246.8253
dcrocker a t ...
www.brandenburg.com