On Sat, Jul 8, 2017 at 10:55 AM, Dave Crocker <[email protected]> wrote:
> 2. The mechanics of cascading signatures that ARC does /is/ unusual > and possibly unique. I believe the only operationally established exemplar > in this space is the X.509 cert signature hierarchy. However it is an > relatively static, offline-signature model for signing the cert hierarchy > -- as opposed to using the cert to sign payload -- while ARC is entirely on > the fly. Both technically and operationally, this is a non-trivial point. > The simplest aspect of this is that we don't know how fragile this will > prove. > > 3. Having the receiver filtering engine evaluate intermediaries in the > way that ARC enables is, I believe, new. In terms of the usual filtering > models I also believe it is conceptaly quite different, or at least not > widely appreciated. > > 4. Whether or how to evaluate the origination identifier, through the > ARC-signed Results packaging, is also new and involves a model of indirect > trust that I believe has not be done before (or, again, at least not > widely.) > There's interest verging on anxiety to get this deployed, and thus there are both private and public implementations of it that are relatively stable (modulo some open questions about the draft content). It won't be long before we're able to gather efficacy details based on live operation, even if the draft hasn't been given an RFC number yet. But you're right, there's some new stuff here, and strange side effects could take a while to manifest, or it could take us a while to figure out how to deal with them when they appear. So if it's more important to get an RFC published than it is to wait for some modicum of deployed maturity -- which will take months, at least, I would guess -- then Experimental is indeed something we should consider, and I also agree with Andrew that the experiment should be reasonably well described and bounded. -MSK
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
