Re: [ietf-dkim] Final update to 4871bis for working group review

2011-07-08 Thread Charles Lindsey
On Thu, 07 Jul 2011 18:09:14 +0100, Pete Resnick wrote: > I am perfectly happy with Murray's original (and now, revised) text. > (Nits still being discussed are entirely up to the WG.) I am not happy > with Charles's text. Particularly: > > On 7/7/11 5:08 AM, Charles Lindsey wrote: > >> Re

Re: [ietf-dkim] Final update to 4871bis for working group review

2011-07-08 Thread Charles Lindsey
On Thu, 07 Jul 2011 22:06:29 +0100, Murray S. Kucherawy wrote: > My favourite counterexample, which I've used many times already, is > Mailman. It doesn't even check DKIM signatures, but you can still fake > your way through its authorization process such that a different From: > is sho

Re: [ietf-dkim] Final update to 4871bis for working group review

2011-07-08 Thread Alessandro Vesely
On 07/Jul/11 16:13, Dave CROCKER wrote: > On 7/7/2011 6:57 AM, Murray S. Kucherawy wrote: >>> I'd s/to be liberal/to be exceedingly liberal/ (we don't want to revise >>> Postel's statement, do we?) >> >> You're either liberal in your application of the RFCs, or you're not. I >> don't see how addin

Re: [ietf-dkim] Final update to 4871bis for working group review

2011-07-08 Thread McDowell, Brett
I would agree with your statement if you put the word "deployers" between DKIM and MUST. > -Original Message- > Unfortunately, the norm is not to make these checks because only DKIM > invites the possible exploit. DKIM MUST accept the role of preventing the > exploit it invites. __

Re: [ietf-dkim] Final update to 4871bis for working group review

2011-07-08 Thread McDowell, Brett
> -Original Message- > From: John Levine [mailto:jo...@iecc.com] > Sent: Thursday, July 07, 2011 6:22 PM > > >Will your "assume one more From than listed in h=" lead to failed > >verifications on messages that actually follow the advice in the RFC to > >list duplicate headers in their h= v

Re: [ietf-dkim] Final update to 4871bis for working group review

2011-07-08 Thread Murray S. Kucherawy
> -Original Message- > From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] > On Behalf Of Charles Lindsey > Sent: Friday, July 08, 2011 3:59 AM > To: DKIM > Subject: Re: [ietf-dkim] Final update to 4871bis for working group review > > > My favourite counterexample

Re: [ietf-dkim] Final update to 4871bis for working group review

2011-07-08 Thread Dave CROCKER
On 7/8/2011 6:48 AM, Murray S. Kucherawy wrote: >> If DKIM is not intended to give added credance to messages, then what on >> earth is its purpose at all. > > That question is answered numerous times in the draft, namely the Abstract > and Sections 1, 1.2, 1.5, 2.5, 2.7, 3.9, 3.11, 6.3, and 8.1

Re: [ietf-dkim] Final update to 4871bis for working group review

2011-07-08 Thread Murray S. Kucherawy
> -Original Message- > From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] > On Behalf Of Charles Lindsey > Sent: Friday, July 08, 2011 3:52 AM > To: DKIM > Subject: Re: [ietf-dkim] Final update to 4871bis for working group review > > 1. The fact that DKIM choose

Re: [ietf-dkim] Enough already, Final update to 4871bis for working group review

2011-07-08 Thread John R. Levine
I'm not seeing much agreement on any changes to Murray's final draft, so may I suggest that it's good enough and we should ship it? The potential benefit of the proposed changes doesn't impress me as worth the amount of argument they're provoking. Regards, John Levine, jo...@iecc.com, Primary

Re: [ietf-dkim] Final update to 4871bis for working group review

2011-07-08 Thread Dave CROCKER
On 7/8/2011 6:54 AM, Murray S. Kucherawy wrote: > That's not part of what DKIM tells an assessor, nor is the list of signed > header fields, so I don't see why that would be a useful thing to highlight. > For example, if a message contains two Subject: fields, the assessor doesn't > know whic

Re: [ietf-dkim] Enough already, Final update to 4871bis for working group review

2011-07-08 Thread J.D. Falk
On Jul 8, 2011, at 7:05 AM, John R. Levine wrote: > I'm not seeing much agreement on any changes to Murray's final draft, so > may I suggest that it's good enough and we should ship it? The potential > benefit of the proposed changes doesn't impress me as worth the amount of > argument they're

Re: [ietf-dkim] Final update to 4871bis for working group review

2011-07-08 Thread Charles Lindsey
On Fri, 08 Jul 2011 13:05:49 +0100, McDowell, Brett wrote: > John, this particular part of the discussion is not about changing the > RFC or DKIM implementations, only changing deployment configuration > practices. Exactly so. All I am trying to do is to ensure that those who engage in d

Re: [ietf-dkim] Final update to 4871bis for working group review

2011-07-08 Thread Charles Lindsey
On Fri, 08 Jul 2011 14:54:43 +0100, Murray S. Kucherawy wrote: >> -Original Message- >> [mailto:ietf-dkim-boun...@mipassoc.org] On Behalf Of Charles Lindsey >> Sent: Friday, July 08, 2011 3:52 AM >> 1. The fact that DKIM choose headers to sign from the bottom up (for >> good >> reaso

[ietf-dkim] One From DKIM Rule

2011-07-08 Thread Hector Santos
Charles Lindsey wrote: > I think is is clear that these attacks will work if deployers fail to > watch out for them. The only question is how long it will take the Bad > Guys to spot the opportunities (and for sure they WILL spot them - sooner > probably than later). +1 To me, the protocol

Re: [ietf-dkim] Final update to 4871bis for working group review

2011-07-08 Thread Pete Resnick
I want to try to be precise, which I don't think Charles is being with his below two sets of "facts". Let me try to clarify: On 7/8/11 5:52 AM, Charles Lindsey wrote: > 1. The fact that DKIM choose headers to sign from the bottom up (for good > reason) facilitates certain attacks (not against DKI

Re: [ietf-dkim] Final update to 4871bis for working group review

2011-07-08 Thread Douglas Otis
On 7/8/11 4:43 AM, Alessandro Vesely wrote: > On 07/Jul/11 16:13, Dave CROCKER wrote: >> On 7/7/2011 6:57 AM, Murray S. Kucherawy wrote: I'd s/to be liberal/to be exceedingly liberal/ (we don't want to revise Postel's statement, do we?) >>> You're either liberal in your application of the

Re: [ietf-dkim] Final update to 4871bis for working group review

2011-07-08 Thread Hector Santos
Douglas Otis wrote: > Ensuring multiple header fields stipulated as occurring once not provide > a deceptive DKIM result does not alter the intent of DKIM validation. > It is important for DKIM compliance to ensure deceptive and invalid > header field instances are excluded by the verification