ietf-smime
[Top] [All Lists]

Re: sender-auth and ira

2001-10-25 15:25:43

At 3:57 PM -0400 10/25/01, Daniel Brown wrote:
4.  Can the intended-recipients feature be abused?  What if Alice
signs "I'll pay you $100." with intended recipients of both Bob and
Carol?  Can Alice abuse this to create confusion and deny obligations?

This is unavoidable and cannot be part of a standard. We cannot regulate the content of signed and encrypted messages, nor can we regulate the interpretation of that content. We can only regulate the signing and encrypting mechanisms.

6.  Does the intended-recipients feature create too much extra
bandwidth by including the names of the intended recipients?  If so,
can there be an option where the intended-recipients are omitted
from the CMS entity itself but automatically grabbed from the
TO and CC headers in order computed the signed attributes?

Again, we should not be limiting the solution to RFC 2822 messages. CMS is useful for moving lots of kinds of data.

--Paul Hoffman, Director
--Internet Mail Consortium

<Prev in Thread] Current Thread [Next in Thread>