ietf-dkim
[Top] [All Lists]

Re: Last Call: <draft-ietf-dkim-rfc4871bis-12.txt> (DomainKeys Identified Mail (DKIM) Signatures) to Draft Standard

2011-06-24 12:47:53
On Fri, Jun 24, 2011 at 12:33 PM, Douglas Otis 
<dotis(_at_)mail-abuse(_dot_)org> wrote:
On 6/23/11 8:24 AM, John Levine wrote:

In article<4E02EE24(_dot_)2060708(_at_)gmail(_dot_)com>  you write:

On 6/22/11 11:14 AM, Dave CROCKER wrote:

Folks,

The bottom line about Doug's note is that the working group extensively
considered the basic issue of multiple From: header fields and Doug is
raising nothing new about the topic.

Dave is quite right.  Doug's purported attack just describes one of
the endless ways that a string of bytes could be not quite a valid
5322 message, which might display in some mail programs in ways that
some people might consider misleading.  If it's a problem at all, it's
not a DKIM problem.

Perhaps you can explain why the motivation stated in RFC4686 includes
anti-phishing as DKIM's goal?  Why of all the possible headers ONLY the From
header field MUST be signed?  Why RFC5617 describes the From header field as
the Author Author address that is positively confirmed simply with a Valid
DKIM signature result?  Both RFC4686 and RFC5617 overlooked a rather obvious
threat clearly demonstrated by Hector Santos on the DKIM mailing list:
 Pre-pended singleton header fields.

Neither SMTP nor DKIM check for an invalid number of singleton header
fields. These few header fields are limited to one because they are commonly
displayed.  Multiple occurrence of any of these headers is likely deceptive,
especially in DKIM's case.  DKIM always selects header fields from the
bottom-up, but most sorting and displaying functions go top-down selection.

Complaints from John, Dave, and Barry and others is likely and
understandably out of fatigue.  They just want the process to be over.  We
are now hearing there is a vital protocol layering principle at stake which
even precludes DKIM from making these checks!  Really?

I'm not suffering from fatigue, personally, and I agree with their
negative reaction toward your commentary. You're speaking as though
you expect DKIM to be the *only* type of message validation that's
going to happen to a message and thus it must account for and handle
message flaws far outside of scope.

This is like complaining that four wheels don't work as a car. True,
but you're missing the point. And you're doing it in a manner so laden
with hyperbole as to be offensive. It's really distressing and
disrespecting to the rest of us to have to read your same complaint
over and over and over. You've made your point. Few (none?) seem to
agree. Could you please move on?

Regards,
Al Iverson
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf