From: Stephen Farrell
[mailto:stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie]
Alice also had the option of sequentially signing if she
considers one alg better than the other.
Think it through, does not work, Mallet can still spoof because there is no way
for Alice to say expect the sequential signature.
Mallet can create a complete forgery with ZSA.
Without policy language support anyone who advertises a less supported
algorithm is open to spoofing.
Alice MUST have a way to state "I always sign with BOTH ZSA
AND RSA2048".
Sure - invent an "zsaandrsa2048" algorithm:-) Bit I don't see
the reason for the MUST, since this only affects a Bob who's
happy with rsa2048, and who is therefore vulnerable to
whatever problems exist for that algorithm regardless of
Alice's policy.
Bob does not see the RSA2048. Mallet only includes a fake sig for ZSA.
In effect the lack of the AND policy statement means that
it will never be possible to upgrade to a new algorithm
without rendering the policy specification void.
There may or may not be a need for a separate AND construct
but that's another layer of detail.
No, has to be in base.
If you could state an advantage in terms of collision-dodgy
signature/hash algorithms then maybe it'd convince folks more.
(Or, maybe not, we'll see.)
And again - you've not said what's new here that causes us to
end up with a different answer about this compared to when
the WG considered it for base? (Or maybe you did and I missed it;-)
We are discussing the policy issue, not base.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html