ietf-smime
[Top] [All Lists]

Signed Receipts

1998-12-18 06:35:11
Paul/Russ,

I've been looking through the Signed Receipts section of ESS again, and I 
believe I may have found an ommision.

Let me set the scene...

In order to validate a receipt, you need to have the original message (or at 
least a digest of it).  Clearly if you are the "Sender" you would have this.

The receipt request structure contains a ReceiptsTo element, where the 
originator must specify their own address if they wish to receive the receipt 
messages.

What if you're not the originator but are named on the ReceiptsTo list.  How do 
you validate the receipt message without having access to the original message 
(or digest of it) - clearly you can't.

If the original message is copied to the entities on the ReceiptsTo list this 
would be avoided.  There is the potential problem of a receipt message being 
received before the message that it corresponds to but this can be dealt with 
quite easily.

I suggest that we add new paragraphs somewhere to ESS along the following lines:

"In order to allow the returned receipt message to be validated by all entities 
named in the receiptsTo field of the receipt request attribute, the Sender 
SHOULD ensure that the original message is copied to all such entities.

It is possible that a receipt message may be received before the original 
message that it corresponds to.  When such a receipt message is received, the 
recipient SHOULD store the receipt message for later validation.

When a recipient of a message is named on the ReceiptTo list in a 
receiptRequest attribute, they SHOULD ensure that sufficient information is 
retained from the message to allow validation of any associated receipt 
messages that are subsequently received.  The recipient SHOULD immediately 
validate any receipt messages that were received prior to message reception."

I've used SHOULDs here to allow for the situation where an entity on the 
ReceiptsTo list is being used as a non-validating receipt sink.

Darren

-------------------------------------------------------------
Darren Harter BSc Hons MBCS CEng
CASM Technical Architect
CASM Programme Office
CESG
Work: dharter(_at_)cesg(_dot_)gov(_dot_)uk
Home: Darren(_dot_)Harter(_at_)bcs(_dot_)org(_dot_)uk


<Prev in Thread] Current Thread [Next in Thread>