On Tue, Apr 29, 2014 at 3:00 PM, Douglas Otis
<doug(_dot_)mtview(_at_)gmail(_dot_)com> wrote:
There will be an effort made to better generalize the TPA expired draft.
http://tools.ietf.org/html/rfc6541 (ATPS) was hostile to existing
mailing-list services and, as such, could not be deployed. Nor was it more
suitable for high volume email services. An effort to change From header
fields will have users guessing which field indicates who authored the
message and in the end will provide no benefit.
ATPS was deployed as part of an open source package since before it was
published. It has seen negligible use, and I suspect that's because there
has not to date been any demand for third-party signing mechanisms of any
kind. In particular, nobody has said anything even a little bit like "I
would use ATPS if only it were changed in the following way(s): ...",
including (and especilaly) the large messaging providers that use that open
source package.
To me, this may lend credence to John Levine's claim that the list signing
the message is as good or better than the author signing the message.
In any case, ATPS, TPA, and its variants all run up against a whitelisting
scaling problem. I think that's the more interesting thing to discuss.
-MSK