> -----Original Message----- > From: MH Michael Hammer (5304) [mailto:mham...@ag.com] > Sent: Monday, October 18, 2010 12:11 PM > To: Murray S. Kucherawy; ietf-dkim@mipassoc.org > Subject: RE: [ietf-dkim] Data integrity claims > > See above. This leads me to believe that you might be amenable to > informative text rather than normative text.
Yes, I'm in favour of the most amazing Security Considerations addendum you could ever imagine to cover this, and not in favour of normative text. > > If we can output a "warn" bit in addition to pass/fail/none, we're also > > presuming the MUAs will adapt to consume it. But then the MUAs can just > > as easily adapt to show you what parts of the message were signed and > > which were not, and that is in fact the more complete solution. > > This is no more presumptuous than expecting that MUAs will adapt to > consume the output of DKIM as it stands now. In another message I indicated that I don't presume either, but assert that there's no middle ground; they will or they won't. If they will, informative text is sufficient; if they won't, then we have to start hardening MTAs to defend against MUA attacks because that's where header changes and other enforcements are possible since, by definition, any current annotations are invisible and will stay that way. I'm fine with accepting either model, but we have to understand the implications of picking one. The latter, in particular, involves some major scope creep. > Perhaps we should try to get some of the MUA folks to join the conversation. That's a novel idea! I'll poll some other lists I'm on (and you're also on, so you can make sure my wording isn't leading) and see if I can get any feedback. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html