On 4/25/2011 1:37 PM, Barry Leiba wrote:
My suggestion: INFORMATIVE NOTE: Although rsa-sha256 is strongly encouraged
and should, in general, be used whenever possible, some senders might prefer
to use rsa-sha1 when balancing security strength against performance,
complexity, or other needs. Compliant verifiers might not implement rsa-sha1,
and they will treat such messages as unsigned.
'should' is another protected word. Worse, the tone of the sentence using it
really is prescriptive and the 'should' is essentially repeating a normative
statement provided elsewere -- essentially creating a redundant specification.
So...
INFORMATIVE NOTE: Although use of rsa-sha256 is strongly encouraged,
some senders might prefer to use rsa-sha1 when balancing security
strength against performance, complexity, or other needs. However,
compliant verifiers might not implement rsa-sha1; they will treat
such messages as unsigned.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html