On Thu, 2005-06-02 at 18:09 -0400, Andrew Newton wrote:
As with all of William's work, META Signatures is good stuff.
However, in the intervening months I've talked to several vendors who
have implemented DomainKeys and not a single one ever said "This
would have been easier if it were based on S/MIME". Given this plus
the apprehension some people have regarding S/MIME's interaction with
current MUAs, I now think the DK/IIM approach is the path we should
follow.
When the charter is reworked, I think it should be very narrowly
focused so that the working group is to refine and address issues of
the soon-to-be released draft.
DKIM is certainly good news. I also think it may be good news for
things like S/MIME as well. Some of the reticence in the past involving
S/MIME has been it changed the appearance of the message, causing an
ironic loss of confidence.
Perhaps with DKIM validation, the appearance hurdle and signature
"breaking" practices will be overcome, and sensitive financial
transactions could be doubly protected with both DKIM and then S/MIME.
As yet another alternative, perhaps financial institutions could utilize
a signed PDF type of document attachment, as another secondary security
strategy.
I would hope to see the MASS WG remain active to handle follow-on
issues, that at best should be seen as second semester work in the
charter. There are going to be defensive strategies needed, which can
be added as separate follow-on work.
-Doug