Doug,
We're done with that document. We had the WG last call.
Its finished. Unless something REALLY BIG turns up, but
that's always true.
*If* the document editor wants to make innocuous changes
during AUTH-48, that'd be ok. I'll leave it to Jim to
figure if this is one such or not. These are not IMO
REALLY BIG issues.
For the rest of us - let's get on to discussing the base
draft (unless someone wants to be left behind haggling
over threats wordsmithing:-)
Regards,
Stephen.
PS: Same response to the mails sent to ietf-discuss!
Douglas Otis wrote:
,---
| 4.1.14. Cryptographic Weaknesses in Signature Generation
|
| The message signature system must be designed to support multiple
| signature and hash algorithms, and the signing domain must be able to
| specify which algorithms it uses to sign messages. The choice of
| algorithms must be published in key records, rather than in the
| signature itself, to ensure that an attacker is not able to create
| signatures using algorithms weaker than the domain wishes to permit.
'___
This leaves out the "bid-down" concern.
Change to:
: The message signature system must be designed to support multiple
: signature and hash algorithms, and the signing domain must be able to
: specify which algorithms it uses to sign messages. The choice of
: algorithms as well as the preferred algorithm offered when multiple
: signatures are added to a message must be published in key records,
: rather than in the just the signature itself, to ensure that an
: attacker is not able to create signatures using algorithms weaker than
: the domain prefers or wishes to permit.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html