Perhaps we are disagreeing on what the chain of custody would be for a message where not all signatures can be verified. I was thinking of something that starts with message origination and extends to the message's final destination. To me, it is not correct to say that an entity is in that chain of custody if you can't verify that they did actually handle the message at some point along the way. Without a passing signature, I think the options are you don't consider them part of the chain at all, or need to trust that the system producing the bottom-most passing signature isn't doing something malicious.
But I will concede that a chain formed by the intact signatures present on the message is still a chain of custody, even if it's not the complete chain of custody for the message. I haven't thought through whether this has enough useful properties to justify implementing it. On Sat, Nov 1, 2025, 9:36 a.m. Dave Crocker <[email protected]> wrote: > On 11/1/2025 6:27 AM, Allen Robinson wrote: > > My problem is with the first bit. Without deltas, the chain of custody > > is dependent on trust. > > > A common problem in security-related discussions in general is the > requirement for complete perfection, all the time, rather than > considering incremental value. That is, getting /some/ benefits, while > striving for more. > > The reality of the scale and diversity of the Internet is that complete > compliance by everyone all the time is rarely attainable, and pretty > much never in the world of email. > > So, your assessment of the limitation is correct. Dismissing it as, > therefore, being without value is not. > > Having a validated chain of custody is useful, even if being able to > certify what actions were taken by each entity in the chain is not. > > d/ > > -- > Dave Crocker > > Brandenburg InternetWorking > bbiw.net > bluesky: @dcrocker.bsky.social > mast: @[email protected] > >
_______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
