ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Comments on draft-ietf-dkim-rfc4871bis-02

2010-10-21 15:51:27
-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org 
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of SM
Sent: Tuesday, October 19, 2010 2:19 PM
To: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: [ietf-dkim] Comments on draft-ietf-dkim-rfc4871bis-02

Hello,

I commented on draft-ietf-dkim-rfc4871bis-01 previously (
http://mipassoc.org/pipermail/ietf-dkim/2010q4/014696.html ).

draft-ietf-dkim-rfc4871bis-02 obsoletes RFC 4871.  RFC 5672 updates
RFC 4871.  Why is the "RFC 4871 DomainKeys Identified Mail (DKIM)
Signatures -- Update" document not being obsoleted by this document?

That sounds right to me.

In the Introduction Section:

   "DomainKeys Identified Mail (DKIM) permits a person, role, or
    organization that owns the signing domain to claim some
    responsibility for a message by associating the domain with the
    message."

Dave proposed a change to add a RFC 1034 reference in that sentence.

    DomainKeys Identified Mail (DKIM) permits a person, role, or
    organization that owns the signing domain to claim some
    responsibility for a message  [RFC5322] by associating the domain
    name [RFC1034] with the message.

I suggest adding a reference to RFC 5322 in there to make it clear
what "message" is.

I forget; does the email architecture document talk about the difference 
between a DNS domain and an ADMD?  This was an issue during the IESG evaluation 
of Authentication-Results and I seem to recall it being a place to which 
readers could be referred to learn the difference.  Maybe changing "domain" to 
"DNS domain" would be appropriate, and also changing the RFC1034 reference to 
point at RFC5598?

As I mentioned previously, in Section 3.3:

    "In general, sha256 should always be used whenever possible."

That text was in RFC 4871 too as part of the informative note.  Could
it be removed to avoid any dilution of the SHOULD in the "Signers
MUST implement and SHOULD sign using rsa-sha256" sentence?

The OpenDKIM stats shows that SHA1 is still in very widespread use, both by 
domain counts and by aggregate message counts.  Trying to force DS to talk only 
about SHA256 would mean alienating half or more of the current install base, 
and we felt that was probably a bad idea.

In Section 3.3.3:

      "The practical constraint that large (e.g., 4096 bit) keys may not
       fit within a 512-byte DNS UDP response packet"

Could a normative reference to RFC 1035 be added in that sentence?

       The practical constraint that large (e.g., 4096 bit) keys may not
       fit within a 512-byte DNS UDP response packet [RFC1035]

Seems reasonable to me, though I don't think it needs to be normative since 
that text is discussion rather than protocol specification.

I'll mention it again; in Section 3.5 for the d= tag:

    "Internationalized domain names MUST be encoded as described in
     [RFC3490]."

And i= tag:

    "Internationalized domain names MUST be converted using the steps
     listed in Section 4 of [RFC3490] using the "ToASCII" function."

Is there a reason why this working group requires that a document
with an intended status of "Draft Standard" should have a normative
reference to a RFC that has been obsoleted?

I can't remember the disposition of this, but I think the problem is that we 
want to use ToASCII while no current (i.e. not obsolete) document contains a 
definition of it.  I seem to recall one of the other co-authors looking into it 
and finding this was acceptable, but I don't recall.  Dave, can you comment?

In Section 5.3:

   "Similarly, a message that is not compliant with RFC5322, RFC2045
    correct or interpret such content."

I do not understand that sentence.

XML error.  Dave already posted what that was supposed to be.

  "Therefore, a verifier SHOULD NOT validate a message that is
    not conformant."

That sounds like good advice.

According to draft-ietf-dkim-implementation-report-03, the
interoperability and testing event was held in 2007.  Was the above
requirement tested during that event?  If this working group wants to
add such a requirement, I suggest setting the intended status of
draft-ietf-dkim-rfc4871bis to "Proposed Standard".

I don't recall it being tested specifically.  And I don't have a good sense 
about whether the addition of this normative requirement would require a 
recycle or not.  I defer to those more experienced than me.

In Section 5.5:

   "Verifiers MUST be capable of verifying signatures even
    if one or more of the recommended header fields is not signed
    (with the exception of From, which must always be signed)"

Is the last "must" a requirement?

No, I think it's simply an informative back-reference to another specified 
requirement.  Maybe changing "must always" to "always has to" would clear that 
up.

draft-ietf-dkim-rfc4871bis has an informative reference to RFC
5451.  I note that the draft uses the "X-Authentication-Results"
header field line.

Yes, that should be fixed.

Thanks,
-MSK

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html