ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Output summary - proposing ODID "Originating Domain Identity"

2011-05-04 12:56:27
On 05/04/2011 10:43 AM, Murray S. Kucherawy wrote:
-----Original Message-----
From: Michael Thomas [mailto:mike(_at_)mtcc(_dot_)com]
Sent: Wednesday, May 04, 2011 10:29 AM
To: Murray S. Kucherawy
Cc: dcrocker(_at_)bbiw(_dot_)net; ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] Output summary - proposing ODID "Originating Domain 
Identity"

It's because I didn't want to imply that those were the only two. It's just
what I found in my quick scan. But they were the advise about ignoring
signatures with sha1, and another saying you could ignore an l= *tag*.
     
I can't recall the history of the first one, other than it being consistent 
with general IETF movement away from use of SHA1.  Perhaps someone else can 
comment there.
   
Saying that receivers can ignore signatures with sha1 is a serious
difference. What does that do for interoperability if followed? Nothing
good is my guess. The advise I've always heard is "walk, but don't run"
away from sha1. Let's be real: DKIM's crypto guarantees are already low;
sha1 is the least of its weaknesses.

The advice that a verifier can ignore the "l=" tag was in RFC4871, so copying 
it to RFC4871bis doesn't seem like a problem to me.
   
You can't ignore the *tag*. That's the normative change. Whether you
ignore the *output* is another matter. But of course you can't ignore
the output because l= is "internal". Yet another problem.

Mike
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>