ietf-dkim
[Top] [All Lists]

RE: [ietf-dkim] Base issue: multiple linked signatures

2007-01-04 10:31:52
 

[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Arvel Hathcock

I believe the current text is meant to do (a) but the 
"checking the signatures in any way" language implies (b).

   Verifiers MUST NOT use the header field names or copied values
   for checking the signature in any way.  Copied header field
   values are for diagnostic use only.

To my way of thinking the language in DKIM-01 was better:

   Verifiers MUST NOT use the copied header field values for
   verification should they be present in the h= field.  Copied
   header field values are for forensic use only.

Perhaps an alternative might be:

    Note:  Signature verification is determined using the content of
    the headers identified by the h= tag.  Copied headers and header
    field values presented by the z= tag are not intended to be used
    for signature verification.  Any signature verification which
    requires the use of the z= tag content does not conform to this
    standard.

To write normative language we have to use MUST or SHOULD.

I suggest rewriting as follows:

      Copied header field values are intended to be used only for 
      diagnostic purposes. Verifiers SHOULD NOT use the header field 
        names or copied values for checking the signature in any way.  

Reordering the sentences means that the text flows from the rationale to the 
conclusion rather than the other way round which results in a stronger message.

Replacing MUST NOT with SHOULD NOT preserves the consensus of the WG that using 
the information to verify signatutres is a very bad idea while ensuring that 
every MUST remains auditable.

If we are using the information for diagnostic purposes we are still using it 
in conjunction with a signature verification. So I don't think that MUST NOT is 
even consistent with RFC 2119 which states that MUST NOT is an ABSOLUTE 
prohibition.

The language of 2119 is very clear:

   Imperatives of the type defined in this memo must be used with care
   and sparingly.  In particular, they MUST only be used where it is
   actually required for interoperation or to limit behavior which has
   potential for causing harm (e.g., limiting retransmisssions)  For
   example, they must not be used to try to impose a particular method
   on implementors where the method is not required for
   interoperability.

Is anyone arguing that

1) This condition is ACTUALLY REQUIRED for interoperation?

2) This condition limits actual HARM?

I really don't think that anyone has made either case at any time in the 
discussions either before or now. 


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>