mail-vet-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [mail-vet-discuss] SHOULD the header be signed?

2007-12-03 20:18:43
from [Scott Kitterman] [Permanent Link] 
On Monday 03 December 2007 15:39, J D Falk wrote:

Eric agreed:

I'm inclined to agree with the consensus.  There may be situations
where you verify a signature and then pass the message through an
untrusted environment, in which case you might want to re-sign and
re-verify the message, but I suspect they will be rare.  Consider that
this would effectively double the crypto overhead on verifiers, and it
really looks like making this a SHOULD is an expensive solution to
what will be for most people a non-problem.  I would say that it
should be at most a MAY.


+1

If it's an issue for a particular site, they can easily solve it without
affecting anyone else.

If it's not an issue for a particular site, they can easily ignore it
without affecting anyone else.


I'd suggest the spec should discuss the goal (MUAs should not eat untrusted 
headers) and leave it up to local policy how to achieve that goal.

Scott K
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [mail-vet-discuss] SHOULD the header be signed?, Murray S. Kucherawy
Next by Date:  Re: [mail-vet-discuss] SHOULD the header be signed?, Charles Lindsey
Previous by Thread:  RE: [mail-vet-discuss] SHOULD the header be signed?, J D Falk
Next by Thread:  Re: [mail-vet-discuss] SHOULD the header be signed?, Charles Lindsey
Indexes:  [Date] [Thread] [Top] [All Lists]