Wow !! My head is starting to hurt. Deja vu. I distinctly remember
the last time this thread was discussed and how frustrated everyone
got...
We have once again achieved consensus:
- multipart/signed is great.
- Lot's of gateways suck because they screw up multipart/signed.
- Email signatures using multipart/signed simply won't work until sucky
gateways are fixed.
Now let's convert some of this energy into writing the specifications
for what gateways should and should not do. If the IETF is unwilling or
unable to work on this problem then IMHO they are not being responsive
to their constituency and we should work on the problem without them.
Hmmm. What to do in the mean time ? Wait until the gateways are fixed
or implement a stopgap ? I could be wrong, however, I think the
consensus is (still) to implement a stopgap. (If there are any other
proponents of waiting until gateways are fixed to have email security,
please speak up now !!)
Yup, opacity of signed messages pisses a lot of people off.
Nonetheless, signedData is a stopgap that works. This is not
speculation. S/MIME signedData was recently mandated in a successful
EDI-over-the-internet pilot by major EDI vendors. multipart/signed
didn't work.
Some of our customers' customers have implemented a security policy
mandating that _all_ email sent between them and their
suppliers/contractors/remote offices/etc. be signed. Many of them sit
behind sucky gateways. signedData always works. multipart/signed does
not.
Nuff said ?
The issue on the table is whether to design some other stopgap measure
to (eventually) replace signedData. If there is a compelling
alternative, let's give it the attention it deserves. The longer we
wait, the harder it will get to make the transition.
-steve