Jim Schaad wrote:
I would recommend looking at RFC 3261 section 23.4.1 for a description of
how SIP handled the comparison problem between the outer and inner headers.
This is by far the biggest area we wussed out on from my perspective. I
think it was an intractable rathole, however, so I will defend my wussiness.
The MASS group would not be open to saying that the correct answer is to
have an embedded message that is promoted when found. I don't know if this
has been implemented by any S/MIME implemenation I would be surprised if it
was widely adopted.
I'm not going to speculate on the adoption, but I would be curious what
options are being considered, especially for the purpose of privacy
protecting headers (not just digital signatures).
If it's the "list all the headers that are covered by the signature"
approach which I think is used by both DomainKeys and IIM, we'd need to
supplement that with a solution to handle privacy protected headers, in
order for it to be suitable for S/MIME and/or OpenPGP.
I think there is some peril here, Jim -- in one sentence you warn us
that MASS won't use an embedded header approach, right after you explain
that SIP (and S/MIME) use that exact approach.
The good news is that means I'm completely offending only one of the
four people we're supposed to help with the initial direction that I
would suggest (using the current S/MIME strategy with better defined
rules about header merging).
So should we take this on? Where do people stand on this? I've had
enough time to recharge from the last beat-down I took from this issue
that I'd probably suit up and take some hits.
Blake Ramsdell | Sendmail, Inc. | http://www.sendmail.com