Why? Because two users who otherwise are signing and validating their
messages can't control an intermediate third party's mailing list which
isn't signing its own outgoing messages. In such cases, you seem to
prefer that the original poster's signature self destruct -- that is,
be unavailable to the receiver at all.
Putting silly statements into the mouths of people who disagree with
you is rarely a persuasive debating technique.
I can't speak for Dave, but nothing I've seen so far changes my
conclusion that attempts to make signatures survive mailing lists and
other mutations are fundamentally a bad idea. They add vast amounts
of complexity for at most an occasional and transitory, and more
likely an illusory benefit.
I don't know all of the ways that list software might mutate a
message, and neither does anyone else. We still don't have anything
close to a concrete proposal to take an IIM signature and a message
and tell us whether the message is close enough to the signature that
we can conclude that the differences are only due to a trip through a
mailing list. And I don't think we ever will, either. Feel free to
prove me wrong, preferably with C code I can run, but I'm not holding
my breath. It's not helpful to tell me that I can use any closeness
metric I want, since I don't know of any usable ones other than exact
match.
The experiments I've seen with DK have shown that even rather
simple-looking fuzzy matches can let through heavily mutated messages,
while some common mutations like virus scanner tag lines can be really
hard to deal with. I don't see any reason to think that IIM would be
any different in those regards.
As far as I'm concerned, there are exactly two kinds of message
forwards. There's the simple dot-forward kind in which the message is
unmodified other than perhaps having a few headers added at the top.
And then there's everything else, mailing lists, MUAs that smash as
they forward, whatever.
For the first kind, I hope we agree that it's easy to make a signature
scheme work. For the second kind, it's not, so my advice is don't
even try.
The whole point of message signatures is to know who's responsible for
the message. For mailing list messages, the responsible party is the
list. You can't tell anything about the quality of a list by checking
internal signatures. A list with no internal signatures might be
manually moderated by someone who calls all the submitters on the
phone to check that the messages are real. A list with 100% internal
signatures could be 100% from dead Nigerian generals.
So, please, if you believe that it's useful to have signatures pass
through lists, show us that it works. Show us running code that can
handle mutations from common list managers (try Yahoo Groups, mailman,
listserv, sympa, lyris, and majordomo) but can't be trivially spoofed.
Give us some rules to tell us what we're supposed to do with list mail
that has various combinations of good and bad nested signatures. At
this point, all I see is smoke.
Regards,
John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
http://www.taugh.com