David Srbecky <dsrbecky(_at_)gmail(_dot_)com> writes:
Simon Josefsson wrote:
I understand. Implement your scheme and write a draft about it! I
think your ideas are too far-fetching to be reasonable added to this
document. There are many details that has to be solved.
Could you please outline a few of these details to be solved?
Canonicalization of the content to sign; it is not clear exactly what
data should be signed. How to cope with gateway's that modify the
message need also be discussed, e.g., you likely will need to use
7-bit MIME to be reasonable sure the message arrive intact.
The OpenPGP header is not intended to be security critical or
trust-worthy. The point of it was to assist mail clients or mailing
list software to be able to provide a better default user experience.
Changing that header to embed signature information changes
fundamental assumption of what the header should be about, so I'd
rather not work on this now.
I do encourage you to try to experiment with the idea though. The
tag=value structure of the OpenPGP header would allow you to use the
same header name, although if you want to support S/MIME signatures in
the same header, I think using Signature: may be cleaner. And in
general, what the header is called is not that important.
Regards,
Simon