ietf-mailsig
[Top] [All Lists]

Re: revised Proposed Charter

2005-07-25 14:15:35

On July 25, 2005 at 11:19, Douglas Otis wrote:

S/MIME has this feature already, and enjoys wide client deployment.   
It lacks any significant use.  S/MIME or secure documents may become  
an alternative for such minor needs requiring higher security often  
related to the author of the document.  How this high security  
problem is solved is really independent of an effort attempting to  
scale for the wide use of an authentication scheme suitable for the  
exchange of email.  Here I tend to agree with Mike.

At the data level, S/MIME and DKIM (or similiar-type proposols)
are different.  For example, S/MIME does not deal with arbitrary
header fields, only the MIME Content- ones to protect the integrtity
of the body.  I.e. S/MIME deals with the body part while DKIM and
others try to deal with the message as a whole (or in select
parts).

From a usage model perspective, S/MIME implies, "I have some
data I want to sign/encrypt using email as my transport."  While
DKIM and others imply, "I have an email message that I want
to sign to verify the sender and content."  See the difference?
One is at the MIME entity level while the other is at the
message level.

Also, the particular body structured required for S/MIME is encumbers
it for usage models that are more suitable for a DKIM-like system.

I think it is an error to assume that people will not want to
have a high level security model for DKIM.  Limiting the level of
security of DKIM, IMHO, will doom it to failure (what you think is
adequate now may not be in the future).  It is this concern that I
would like to see core DKIM become a little more flexible to support
alternative PKI systems.  The core DKIM spec does not need to define
those systems, but it is worthwhile to have them in mind so nothing
in the spec artifically constrains their usage.  I think such changes
are minimal and mostly a matter of wording.

As for "wide use of an authentication scheme suitable for the exchange
of email." as DKIM is currently defined, I do not think it can achieve
that goal (and I have raised my concerns in past emails and looking
forward to the next draft revision, including the next revision
of SSP).

--ewh


<Prev in Thread] Current Thread [Next in Thread>