On 6/30/11 9:53 AM, Murray S. Kucherawy wrote:
>> -Original Message-
>> From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org]
>> On Behalf Of Charles Lindsey
>> Sent: Thursday, June 30, 2011 7:05 AM
>> To: DKIM
>> Subject: Re:
On 6/29/11 11:49 AM, Pete Resnick wrote:
> On 6/29/11 11:20 AM, Charles Lindsey wrote:
>> I agree that 8.14 is poorly written (and it was even worse a while back).
>> However, there most certainly IS an attack here, which is NOT the same as
>> the related attack discussed in 8.15, and cannot be pre
> -Original Message-
> From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org]
> On Behalf Of Charles Lindsey
> Sent: Thursday, June 30, 2011 7:05 AM
> To: DKIM
> Subject: Re: [ietf-dkim] Pete's review of 4871bis
>
> The problem is that
KIM
>> Subject: Re: [ietf-dkim] Pete's review of 4871bis
>>
>> I agree that 8.14 is poorly written (and it was even worse a while
>> back).
>> However, there most certainly IS an attack here, which is NOT the same
>> as
>> the related attack discussed
On Wed, 29 Jun 2011 19:49:27 +0100, Pete Resnick
wrote:
> On 6/29/11 11:20 AM, Charles Lindsey wrote:
>> A phisher obtains a throwaway domain and creates a public/private key
>> pair
>> for
>> it. He then sends messages of the following form:
>>
>>
>>
>> To: some.sucker@anywhere
Hi John,
At 09:40 29-06-2011, John R. Levine wrote:
>there's still a lot left. If Pete can force us to strip out more of the
>gratuitous stuff and stick to telling people how to do reliably
>interoperable signing and verification, the actual standards part of the
>standard, he'll be doing everyone
+1
Ned
> RFC 4871 is full of gratuitous and often wrong advice on everything from
> APIs to MUA design to key management. 4871bis got rid of some of it, but
> there's still a lot left. If Pete can force us to strip out more of the
> gratuitous stuff and stick to
> -Original Message-
> From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org]
> On Behalf Of Dave CROCKER
> Sent: Wednesday, June 29, 2011 11:56 AM
> To: Pete Resnick
> Cc: DKIM
> Subject: Re: [ietf-dkim] Pete's review of 4871bis
>
>
On 6/29/2011 11:49 AM, Pete Resnick wrote:
> Now*that's* the attack. But it's NOT AN ATTACK ON DKIM! It's an attack
So?
The original directive to produce a threats analaysis was for threats to
recipients that DKIM might help remedy.
Clearly, techniques later designed to circumvent or exploi
On 6/29/11 11:20 AM, Charles Lindsey wrote:
> I agree that 8.14 is poorly written (and it was even worse a while back).
> However, there most certainly IS an attack here, which is NOT the same as
> the related attack discussed in 8.15, and cannot be prevented by putting
> extra entries in the 'h='
On 6/29/2011 9:40 AM, John R. Levine wrote:
> RFC 4871 is full of gratuitous and often wrong advice on everything from
> APIs to MUA design to key management. 4871bis got rid of some of it, but
> there's still a lot left. If Pete can force us to strip out more of the
> gratuitous stuff and stic
> The first thing is that it's out of scope to address changes to things
> that were in RFC 4871, which was approved by the working group, the
> community, and the IESG in 2007, if it's simply a question of one or
> two people not liking those things so much -- even if one or two of
> those people
> -Original Message-
> From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org]
> On Behalf Of Charles Lindsey
> Sent: Wednesday, June 29, 2011 9:20 AM
> To: DKIM
> Subject: Re: [ietf-dkim] Pete's review of 4871bis
>
> I agree that 8.14
On 6/29/11 11:11 AM, Barry Leiba wrote:
> Pete:
> I'll mostly let the editors reply to this, but there are a couple of
> things I want to say first.
>
> The first thing is that it's out of scope to address changes to things
> that were in RFC 4871, which was approved by the working group, the
> com
>> to create the word "viagra" in ASCII art, though quite crudely.
>
> So I don't understand. You're saying that a MITM can insert and delete
> spaces freely, so they're going to be able to change my text to make it
> appear that it has a different message? That would be an attack, but
> rather
On Wed, 29 Jun 2011 05:46:06 +0100, Pete Resnick
wrote:
> 32. Section 8.14: This is a complete mischaracterization of the problem.
> This is absolutely not an attack vector. If a signer wishes to prevent
> additional *known* header fields from being verified, it can simply use
> the technique o
Pete:
I'll mostly let the editors reply to this, but there are a couple of
things I want to say first.
The first thing is that it's out of scope to address changes to things
that were in RFC 4871, which was approved by the working group, the
community, and the IESG in 2007, if it's simply a questi
Folks,
I've been reviewing 4871bis for the IESG review on Thursday. I've got a
huge number of comments. Some of them (e.g., the first two below) are
quite trivial or simple issues that I expect you'd either have no issue
with or that I'm happy to ignore; some of them are clearly not trivial
at
18 matches
Mail list logo
