--On Wednesday, March 26, 2025 17:00 -0700 Rob Sayre <sayrer@xxxxxxxxx> wrote: > On Wed, Mar 26, 2025 at 4:47 PM John Levine <johnl@xxxxxxxxx> > wrote: > >> It appears that Rob Sayre <sayrer@xxxxxxxxx> said: >> > I write this as a disinterested party. I don't get it. We have a >> > standards-track RFC: >> > https://datatracker.ietf.org/doc/html/rfc6376 >> > >> > RFC 5321 and RFC 5322 are normative references. Why cite PGP and >> > S/MIME >> but >> > not this one? >> >> Please reread Dave's and my messages. They don't do even sort of >> the same thing. >> > > I read them. Ekr offered concrete text that those messages did not > address. Assuming you are referring to "Signatures applied by the originating MTA as in DKIM [XX] also provide strong authenticity, subject to the correct behavior of that MTA." That statement is actually wrong factually. In addition to the issues with DKIM that Viktor pointed out [1], strong authenticity is not only subject to the behavior of the originating MTA but on all MTAs intermediate between the originated and final delivery ones ("relays") being well-behaved. Independent of mechanisms that might be included in present or future versions of DKIM to prevent false positives by relays tampering with the headers, relay changes to headers that result in false negatives can be equally damaging under many circumstances. Those issues reinforce Viktor's three caveats and the conclusion that DKIM should not be dragged into SMTP and that doing so properly would be too complex for 5321bis. Indeed, IMnvHO, any of the four should be sufficient to keep the discussion out of 5321bis. john [1] https://mailarchive.ietf.org/arch/msg/last-call/vv7eA91irjygCktYRigMNsYlaIE > > I agree that it's not the same thing. On the other hand, people use > it, in contrast to PGP and S/MIME. > > thanks, > Rob -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
