Ned Freed wrote:
I'm sorry, but it is folly to think you have a choice in the matter. There
has
to be at least one mandatory to implement mechanism to insure all
implementations can interoperate.
Most of the time I would buy this Ned, but the ramifications of NOT
interoperating are not at all clear here. The worst is that you don't
show the message as verified. And while that is a deployment and not an
implementation consideration, why force people to implement something we
know we're transitioning away from? It doesn't matter so much today.
Everyone today is going to implement SHA-1. But it matters 2 - 3 years
down the road, when that decision shouldn't be forced by the IETF.
The ramifications of not having a common mandatory to implement hash are going
to be not being able to make it to proposed. Even if we were able to reach
consensus on it in the WG (I for one would strenuously object) I see no chance
whatsoever that it would pass security review.
Feel free to prove me wrong by getting statements to the contrary from the
relevant ADs. Absent that I'll continue to reach this conclusion based on
extensive past experience, which AFAIK is 100% consistent on this point. And I
don't think the argument that DKIM is somehow different than, say, the even
more ephemeral mechanisms used in something like TLS, is going to sway people
to your point of view.
Of course this doesn't mean we couldn't just have SHA-256 as the only MUST. I
think that's a bad idea, but it would probably fly. But you appear to be
arguing that there should be no mandatory to implement at all.
Ned
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html