But in fact this was not the concern I was citing about multipart.
I have not heard general criticism of multipart/signed. (Yes, there's
criticism of everything, everywhere these days but I mean that discussions
about whether to use multipart security have not tended to assert major
problems or showstoppers with multipart/signed.) One of the benefits of
the email security workshop seems to have been an increased appreciation
for the benefits of multipart/signed.
multipart/signed syntax is great as it can implemented simplistically
without a MIME conformant engine if one ignores the conformance requirments
of the multiparts RFC. (Which many implementors do indeed ignore).
So as a trivial syntactic means of attaching a signature-chain to labelled
content, the RFC is fine. Why one needs multipart semantics is something I
dont follow. I do understand the theory and the opportuntity; just
not the endless practice of MIME-conformance which just defeated most of us.
The showstopper with multipart/signed, is perhaps the label multipart!
But it seems to work in practice in both http browsers and 822 MIME-UAs
alike providing one doesnt get too complex.