-----Original Message-----
From: MH Michael Hammer (5304) [mailto:MHammer(_at_)ag(_dot_)com]
Sent: Monday, October 18, 2010 12:11 PM
To: Murray S. Kucherawy; ietf-dkim(_at_)mipassoc(_dot_)org
Subject: RE: [ietf-dkim] Data integrity claims
See above. This leads me to believe that you might be amenable to
informative text rather than normative text.
Yes, I'm in favour of the most amazing Security Considerations addendum you
could ever imagine to cover this, and not in favour of normative text.
If we can output a "warn" bit in addition to pass/fail/none, we're also
presuming the MUAs will adapt to consume it. But then the MUAs can just
as easily adapt to show you what parts of the message were signed and
which were not, and that is in fact the more complete solution.
This is no more presumptuous than expecting that MUAs will adapt to
consume the output of DKIM as it stands now.
In another message I indicated that I don't presume either, but assert that
there's no middle ground; they will or they won't. If they will, informative
text is sufficient; if they won't, then we have to start hardening MTAs to
defend against MUA attacks because that's where header changes and other
enforcements are possible since, by definition, any current annotations are
invisible and will stay that way.
I'm fine with accepting either model, but we have to understand the
implications of picking one. The latter, in particular, involves some major
scope creep.
Perhaps we should try to get some of the MUA folks to join the conversation.
That's a novel idea! I'll poll some other lists I'm on (and you're also on, so
you can make sure my wording isn't leading) and see if I can get any feedback.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html