ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] yet more sophistry, was Data integrity claims

2010-10-18 04:45:18
from [Alessandro Vesely] [Permanent Link] 
On 16/Oct/10 21:24, John R. Levine wrote:

 "Which header fields are essential to protect?
How much of the message body is essential to protect?"


Your questions are noted. Other than the MUST to sign the From: 
header, the DKIM spec offers the technical latitide to create a 
totally worthless signature. I don't know anyone who disagrees with that.


The spec preludes to a policy in various parts.  Another one is in
section 6.3 (page 51) where it says

 If the SDID is not the same as the address in the From: header
 field, the mail system SHOULD take pains to ensure that the actual
 SDID is clear to the reader.

IMHO, this sentence can be safely dropped.

A couple of paragraphs below that, one reads

 The verifier MAY treat unsigned header fields with extreme
 skepticism, including marking them as untrusted or even deleting them
 before display to the end user.

This does not specify whether such fields break RFC 5322 compliance.
Mark's suggestion to suitably prefix them can be added here, as an
explicit indication of /how/ to mark them.  IMHO, rising that MAY to
a SHOULD or MUST would not be very effective in practice, though.


In section 2.6, in item 2 on page 8 [...]

I couldn't locate this.  For a trivial note, tools.ietf.org doesn't
seem to respond properly.  It does:

 # curl -vO http://tools.ietf.org/html/draft-ietf-dkim-rfc4871bis
 * About to connect() to tools.ietf.org port 80 (#0)
 *   Trying 194.146.105.14... connected
 * Connected to tools.ietf.org (194.146.105.14) port 80 (#0)

GET /html/draft-ietf-dkim-rfc4871bis HTTP/1.1
User-Agent: curl/7.17.1 (i586-pc-mingw32msvc) libcurl/7.17.1 OpenSSL/0.9.8b 
zlib/1.2.3
Host: tools.ietf.org
Accept: */*


 < HTTP/1.1 302 Found
 < Date: Mon, 18 Oct 2010 08:43:09 GMT
 < Server: Apache/2.2.16 (Debian)
 < Location: http://tools.ietf.org/html/draft-ietf-dkim-rfc4871bis-02

But then it delivers an empty document for that location:

 # curl -vO http://tools.ietf.org/html/draft-ietf-dkim-rfc4871bis-02
 * About to connect() to tools.ietf.org port 80 (#0)
 *   Trying 194.146.105.14... connected
 * Connected to tools.ietf.org (194.146.105.14) port 80 (#0)

GET /html/draft-ietf-dkim-rfc4871bis-02 HTTP/1.1
User-Agent: curl/7.17.1 (i586-pc-mingw32msvc) libcurl/7.17.1 OpenSSL/0.9.8b 
zlib/1.2.3
Host: tools.ietf.org
Accept: */*


 < HTTP/1.1 200 OK
 < Date: Mon, 18 Oct 2010 08:43:25 GMT
 < Server: Apache/2.2.16 (Debian)
 < Content-Location: draft-ietf-dkim-rfc4871bis-02.html
 < Vary: negotiate
 < TCN: choice
 < Last-Modified: Mon, 11 Oct 2010 22:32:20 GMT
 < ETag: "15d10aa-0-4925eeeee0500;492e02b528300"
 < Accept-Ranges: bytes
 < Content-Length: 0
 < Content-Type: text/html; charset=UTF-8

And in http://tools.ietf.org/html/draft-ietf-dkim-rfc4871bis-01 there
is no mention at all of -02.  Why?
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Data integrity claims, Mark Delany
Next by Date:  Re: [ietf-dkim] detecting header mutations after signing, Ian Eiloart
Previous by Thread:  Re: [ietf-dkim] yet more sophistry, was Data integrity claims, John R. Levine
Next by Thread:  Re: [ietf-dkim] sophistry is bad, was Data integrity claims, Scott Kitterman
Indexes:  [Date] [Thread] [Top] [All Lists]