At 1:43 PM -0500 5/12/08, Timothy J Miller wrote:
On May 12, 2008, at 11:49 AM, Paul Hoffman wrote:
When feasible, sending and receiving agents SHOULD inform senders (prior
to transmission) and recipients of the relative cryptographic strength of
messages and SHOULD provide a warning if weak algorithms or key sizes are
used.
I'm lost here. Using the protocol described in the document, how
would I send such information? How would I send such a warning?
Yet similar advice exists elsewhere in the cert handling spec:
"""
A receiving agent SHOULD provide some explicit alternate processing
of the message if this comparison fails, which may be to display
a message that shows the recipient the addresses in the certificate
or other certificate details.
""" (ref: sec 3)
Only somewhat similar. Tony's proposed changes has a "SHOULD inform"
and a "SHOULD provide a warning". The quoted test is "SHOULD provide
alternate processing" which may be displaying a message. That's a big
difference.
Are you saying that this should come out as well, since your
objection to the RFC advising implementors to warn users re: key
strength clearly also applies to the RFC advising implementors re:
an email mismatch?
Nope. I have nothing against advising implementers. Heck, I've
written a lot of the text that does that. What I object to is a
SHOULD-level "inform" or "provide a warning" when we have no
protocol-standard way of doing so.