ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Data integrity claims

2010-10-18 14:26:45
I'm trying to find a way for us to build a consensus on how to move
forward. 

While I have tended towards favoring a normative approach, you are
swaying me with this "amazing Security Considerations addendum".

Mike

-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org [mailto:ietf-dkim-
bounces(_at_)mipassoc(_dot_)org] On Behalf Of Murray S. Kucherawy
Sent: Monday, October 18, 2010 3:18 PM
To: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] Data integrity claims

-----Original Message-----
From: MH Michael Hammer (5304) [mailto:MHammer(_at_)ag(_dot_)com]
Sent: Monday, October 18, 2010 12:11 PM
To: Murray S. Kucherawy; ietf-dkim(_at_)mipassoc(_dot_)org
Subject: RE: [ietf-dkim] Data integrity claims

See above. This leads me to believe that you might be amenable to
informative text rather than normative text.

Yes, I'm in favour of the most amazing Security Considerations
addendum
you could ever imagine to cover this, and not in favour of normative
text.

If we can output a "warn" bit in addition to pass/fail/none, we're
also
presuming the MUAs will adapt to consume it.  But then the MUAs
can
just
as easily adapt to show you what parts of the message were signed
and
which were not, and that is in fact the more complete solution.

This is no more presumptuous than expecting that MUAs will adapt to
consume the output of DKIM as it stands now.

In another message I indicated that I don't presume either, but assert
that there's no middle ground; they will or they won't.  If they will,
informative text is sufficient; if they won't, then we have to start
hardening MTAs to defend against MUA attacks because that's where
header
changes and other enforcements are possible since, by definition, any
current annotations are invisible and will stay that way.

I'm fine with accepting either model, but we have to understand the
implications of picking one.  The latter, in particular, involves some
major scope creep.

Perhaps we should try to get some of the MUA folks to join the
conversation.

That's a novel idea!  I'll poll some other lists I'm on (and you're
also
on, so you can make sure my wording isn't leading) and see if I can
get
any feedback.


_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html