On Sat, 2005-07-16 at 15:00 -0700, Dave Crocker wrote:
This seems to leave out checking content as a means to address simple
header replay. This attempts to provide some rationale to support most
of your statement.
there's a juggling act to be performed, for the language here. the focus of
dkim really is the headers. including a checksum on the body is an adjunct.
the problem with citing the body in the text, here, is that then folks get
distracted with the possibility that this competes with pgp or s/mime.
The details of user transparency, in transit processing, and DNS
deployment, provide distinct differences between these alternative
solutions.
This concern of overlap should be countered by the phase "in a manner
transparent to the recipients who use existing mail-user-agents."
Reluctance to use s/mime by financial institutions, was due in part by
the support required when recipients called, concerned by changes to the
appearance of their email. When using s/mime to sign mail, there is
still the signature attachment that may be seen by the recipient which
causes them to suspect the message is forged.
As s/mime is expected to run at the MUA, this proves to be another
problem for many email providers such as AOL, where this concern of
overlap is again countered by your phrase "this process is performed
during transit." Here an MTA solution prevails in this situation.
-Doug