ned(_dot_)freed(_at_)mrochek(_dot_)com wrote:
Another question to think about is whether the IETF really wants to make a
fifth attempt in the email signature area, so far it has done PEM, MOSS, PGP
& S/MIME.
This point has already been raised by Patrik Falstrom and others. And if what
this group decides to define is yet another end to end signature scheme, then
I am in complete agreement with him: We have no business rearranging that
particular set of deck chairs a fifth time. Surely the number five should carry
with it at least some indication that this is not where we should be going...
Since the semantics of this signature are different from any of the
others (this is really a signature from the domain owner, or his/her
proxy, indicating permission to use an address in their domain), another
type of signature is required anyway. Even if you do this as a
multipart/signed MIME part, the signature needs to be different from
S/MIME, PGP, etc. for that reason (in addition to the need to bind with
some subset of the message headers).
Given that it does need to be different, a lot of us have looked at how
to encapsulate the signature, and have decided that the easiest way to
be compatible with existing stuff is to create a new header. Perhaps
that's a different discussion, though.
Once again, this isn't necessarily an end-to-end scheme. Intermediaries
that modify the message SHOULD re-sign it.
-Jim