mail-vet-discuss
[Top] [All Lists]

Re: [mail-vet-discuss] Last Call: draft-kucherawy-sender-auth-header (Message Header Field for Indicating Message Authentication Status) to Proposed Standard

2008-11-24 15:57:23


Victor Duchovni wrote:
On Mon, Nov 24, 2008 at 11:58:46AM -0800, Michael Thomas wrote:

Yeah, definitely a security considerations if anything. But isn't this
pretty much covered by the overall "don't trust what you don't trust"
part of the security considerations already?


No, because the MUA will in fact trust the header (when it carries the
right "authserv-id". Otherwise it is completely useless to the MUA.

Sorry but I think that asserting a truth like that and that simply is entirely 
unfounded.  Since there is no MUA precedence for this header and since I don't 
even know what it means to say "the MUA will... trust the header", I think that 
statements about the details in handling the information need to be moderate 
and 
careful.


I do not wish to be a troll, so unless my point is not clear, I don't
want to repeat myself. Having made the point about as well as I can,
if it is broadly believed to be out of scope, so be it.

I think your concern has served to prompt more clarifying language.  Given the 
nature of this mechanism, more clarifying language is almost certainly a Good 
Thing.


IMHO, this issue deserves specific discussion in the Security
Considerations, because, while it is not deep, it is not entirely obvious.

I agree.

d/
-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html 

<Prev in Thread] Current Thread [Next in Thread>