In message <2FBF98FC7852CF11912A000000000001091266B7(_at_)DINO>you write:
I very much agree with Eric on this issue. This type of thing must be done
in a way which makes sense to the application. This is especially true
since one can't rely on signing time as a correct value, it does not even
have the quality of a timestamp yet.
Even if timestamping works, we don't get a message which we can look at
and say "this is a replay attack". If our ISP loops a piece of mail for
a week, then all our mail will have a receiving date much later than the
timestamped one. Signifies nothing.
However, it does serve a function as one thing which, all other things
being valid, must be different from one instance to another. If you
recieve two identical signed pieces of mail which say "Send me the
money", both with signingTime, then something somewhere is wrong, which
isn't necessarily the case without signingTime. Again, this is a matter
of storing and comparing email messages, and so is outside our
jurisdiction, but it would be no harm to include a note saying we
facilitate this, much as the ESS MailingListHistory facilitates stopping
loopbacks.
While I'm on the subject: We are (by volume) most of the S/MIME
implementors. Doesn't here not send signingTime?
Andrew Farrell,
Baltimore Technologies.