[Top] [All Lists]

Re: BATV pseudo-Last Call

2008-05-20 14:29:20

John Levine wrote:

First, let's see whether we expect other tagging schemes.
The more I think about it, the less likely I think it is.

All mail RFCs are adamant that the local part are the local
business of the MON (mail originating network), and various
schemes down to "percent hack" or gmail conventions exist.

Limited to BATV, if I could do it I likely would NOT pick 
HMAC-SHA1, and for a private scheme I wouldn't waste bytes
for "prvs=".

As noted elsewhere in this thread, with a registry of tags
it is not more completely private and tags make sense.  

E.g. "u=" with the unique part (LHS) of the Message-ID can
make sense where a database is no showstopper, same idea as
for NNTP, with a given expiration.

For your scheme you have "modulo 1000 days", so after 1000
days you can definitely forget an expired key - of course
you can forget it earlier, bounces after three years are
ridiculous, but less than say one month might be too short.

For a completely private scheme you could use the tag to
indicate the used key, e.g. "k1=" for the first key, "k2="
for your second key if the first was compromised, etc.

For a public scheme you could use the tag to indicate the
algorithm, "prvs=" for HMAC-SHA1, "hmac=" for HMAC-MD5,
whatever.  Just an idea, copy the registry stuff from the
SASL RFC, no expert review, but "specification required"
to protect IANA, for more examples see the new RFC 5226.


<Prev in Thread] Current Thread [Next in Thread>