Murray wrote:
Post-delivery survival of the signature is not only not a goal, it is arguably (or possibly demonstrably) a problem.
Can we say more about this if we're going to take that position? A naked "not a goal" doesn't jive with RFC 4686, which explicitly says it is a goal, or at least that it was one.
I guess that means it comes down to making an argument about what experience has shown us: Does Barry's use case, plus the Thunderbird plug-in use case, together carry more weight than the perceived problem that replay causes?
Also, a reminder that the WG hasn't actually rechartered yet; maybe some of these debates should wait until that's happened.
I completely disagree with the notion that signatures should be removed. I don't recall it ever being discussed one way or the other, so saying that it is "not a goal" is just a bald assertion. Having the signature survive has forensic value, for better or worse. Yes, and there is "for better" too. Not to mention that MUA's have a stake in this too. Nothing requires MDA's to create an Auth-Res header, for example. Plus there is information in the signature header that can be useful for MUA's.
Also: this is clearly BCP material that everybody is free to ignore. There are no interoperability considerations.
This working group should go back to sleep. Mike
_______________________________________________ Ietf-dkim mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-dkim
