-----Original Message-----
From: barryleiba(_dot_)mailing(_dot_)lists(_at_)gmail(_dot_)com
[mailto:barryleiba(_dot_)mailing(_dot_)lists(_at_)gmail(_dot_)com] On Behalf
Of Barry Leiba
Sent: Monday, April 25, 2011 1:37 PM
To: Murray S. Kucherawy
Cc: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] Issue: Section 4.3 Hash method Note
Actually, with one important correction (below), I like Hector's text
better. I do think the attempt at a concrete example is a red
herring, and I prefer more abstract statement. For that matter, I
even think the "CPU-bound" part is too specific, so I'll offer a small
tweak.
The important correction is to change "may", which could be
interpreted as RFC 2119 language, to something else ("might", say).
That's particularly significant in "verifiers may not implement",
which might be incorrectly read as "verifiers MUST NOT implement", or
some such. It's easy to avoid that.
My suggestion:
INFORMATIVE NOTE: Although rsa-sha256 is strongly encouraged
and should, in general, be used whenever possible, some
senders might prefer to use rsa-sha1 when balancing security
strength against performance, complexity, or other needs.
Compliant verifiers might not implement rsa-sha1, and they will
treat such messages as unsigned.
You're right, I'd missed the "may" use, and "might" is better.
The tracker's still down, but I'll reopen that issue (#13) for the next version
and cite this suggested text.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html