Hi John!
On 7/22/25 15:25, John Levine wrote:
It appears that Hannah Stern <[email protected]> said:
On 7/20/25 21:10, John R Levine wrote:
On Sun, 20 Jul 2025, Wei Chuang wrote:
There are two problems: first, the keys that a sender supports are
obscured by the selectors.
I don't see what the problem is. Every signature has the selector and
algorithm so the verifier knows what to look for, right?
Only if we implicitly assume the decision to mandatorily use the same
selector for all algorithms.
No, that depends how we do it. Several of the proposals have separate
selectors for each signature.
You're right. My comment was addressed to a different context but was
misleading under the quotes here.
My comment was specific to that subset of suggestion that has one s= but
some way of multi-value a=/b= (possibly bh=). The suggestions that allow
for multiple s= in some or another way are of course not affected by my
comment.
Hmm. I want to think some more about whether the rule is that ALL the
signatures have to be valid (give or take ones the verifier doesn't
support) or ANY signature is adequate.
For the still newer PQC algorithms, it could make sense to require that
at least one PQC and at least one preQC algorithm yield a valid
signature. So in case the chosen PQC algorithm turns out to be weak,
we'd be at least still secure-enough against non-quantum attackers.
I fear this is a swamp we do not want to enter, trying to say which
signatures are "better" than others. If recipient systems want to
apply their own heuristics they can do that, but I do not believe that
we can guess now what sort of heuristics will be useful or which will
be useless or even worse, counterproductive.
You're probably right. I could live with either, a receiver MUST/SHOULD
verify all signatures it supports, or it MUST verify at least one and
could chose, at its own discretion, to check more than one (regardless
if all, or a subset > 1).
Hannah.
--
Hannah Stern Mail System Development
www.mail-and-media.com 1&1 Mail & Media Development & Technology GmbH
[email protected] Brauerstraße 48 76135 Karlsruhe Germany
+49 721 91374-4519
Hauptsitz Montabaur, Amtsgericht Montabaur, HRB 5452
Geschäftsführer: Alexander Charles, Dr. Michael Hagenau, Dana Kraft,
Thomas Ludwig
Member of United Internet
Diese E-Mail kann vertrauliche und/oder gesetzlich geschützte
Informationen enthalten. Wenn Sie nicht der bestimmungsgemäße Adressat
sind oder diese E-Mail irrtümlich erhalten haben, unterrichten Sie
bitte den Absender und vernichten Sie diese E-Mail. Anderen als dem
bestimmungsgemäßen Adressaten ist untersagt, diese E-Mail zu speichern,
weiterzuleiten oder ihren Inhalt auf welche Weise auch immer zu verwenden.
This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient of this e-mail, you are hereby notified
that saving, distribution or use of the content of this e-mail in any
way is prohibited. If you have received this e-mail in error, please
notify the sender and delete the e-mail.
_______________________________________________
Ietf-dkim mailing list -- [email protected]
To unsubscribe send an email to [email protected]
