On Sun, Mar 30, 2025 at 1:21 PM Murray S. Kucherawy <superuser@xxxxxxxxx> wrote:
On Wed, Mar 26, 2025 at 5:00 PM Rob Sayre <sayrer@xxxxxxxxx> wrote:On Wed, Mar 26, 2025 at 4:47 PM John Levine <johnl@xxxxxxxxx> wrote:It appears that Rob Sayre <sayrer@xxxxxxxxx> said:
>I write this as a disinterested party. I don't get it. We have a
>standards-track RFC:
>https://datatracker.ietf.org/doc/html/rfc6376
>
>RFC 5321 and RFC 5322 are normative references. Why cite PGP and S/MIME but
>not this one?
Please reread Dave's and my messages. They don't do even sort of
the same thing.I read them. Ekr offered concrete text that those messages did not address.I agree that it's not the same thing. On the other hand, people use it, in contrast to PGP and S/MIME.I think "people" is the interesting word here. People sign with these technologies. Domains sign with DKIM.
Hmm, I'm not sure I agree with this part, but I think we agree on the remedy for the spec (put all of this in the AS), as you suggested at the end of this one:
If you look at the Shopify setup, it's about your domain:
But these are usually small businesses, so the distinction between domain and person is fuzzy, and it's getting fuzzier over time (new TLDs etc).
That DKIM achieved Internet Standards status is only a testament to its interoperability and apparent broad use. That doesn't mean it's a complete solution to email security that this body should mandate.
I think the AS doesn't separate Authentication, Confidentiality, and Message Integrity very well. Then, there's the additional wrinkle of end-to-end vs hop-by-hop. It could all be better.
thanks,
Rob
-- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
