On 6/29/11 11:49 AM, Pete Resnick wrote:
On 6/29/11 11:20 AM, Charles Lindsey wrote:
I agree that 8.14 is poorly written (and it was even worse a while back).
However, there most certainly IS an attack here, which is NOT the same as
the related attack discussed in 8.15, and cannot be prevented
On 6/30/11 9:53 AM, Murray S. Kucherawy wrote:
-Original Message-
From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org]
On Behalf Of Charles Lindsey
Sent: Thursday, June 30, 2011 7:05 AM
To: DKIM
Subject: Re: [ietf-dkim] Pete's review of 4871bis
The problem
On Wed, 29 Jun 2011 19:49:27 +0100, Pete Resnick presn...@qualcomm.com
wrote:
On 6/29/11 11:20 AM, Charles Lindsey wrote:
A phisher obtains a throwaway domain and creates a public/private key
pair
for
it. He then sends messages of the following form:
To:
] Pete's review of 4871bis
I agree that 8.14 is poorly written (and it was even worse a while
back).
However, there most certainly IS an attack here, which is NOT the same
as
the related attack discussed in 8.15, and cannot be prevented by putting
extra entries in the 'h=' tag
-Original Message-
From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org]
On Behalf Of Charles Lindsey
Sent: Thursday, June 30, 2011 7:05 AM
To: DKIM
Subject: Re: [ietf-dkim] Pete's review of 4871bis
The problem is that an apparently valid signature (albeit
Pete:
I'll mostly let the editors reply to this, but there are a couple of
things I want to say first.
The first thing is that it's out of scope to address changes to things
that were in RFC 4871, which was approved by the working group, the
community, and the IESG in 2007, if it's simply a
On Wed, 29 Jun 2011 05:46:06 +0100, Pete Resnick presn...@qualcomm.com
wrote:
32. Section 8.14: This is a complete mischaracterization of the problem.
This is absolutely not an attack vector. If a signer wishes to prevent
additional *known* header fields from being verified, it can simply
to create the word viagra in ASCII art, though quite crudely.
So I don't understand. You're saying that a MITM can insert and delete
spaces freely, so they're going to be able to change my text to make it
appear that it has a different message? That would be an attack, but
rather insane.
On 6/29/11 11:11 AM, Barry Leiba wrote:
Pete:
I'll mostly let the editors reply to this, but there are a couple of
things I want to say first.
The first thing is that it's out of scope to address changes to things
that were in RFC 4871, which was approved by the working group, the
-Original Message-
From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org]
On Behalf Of Charles Lindsey
Sent: Wednesday, June 29, 2011 9:20 AM
To: DKIM
Subject: Re: [ietf-dkim] Pete's review of 4871bis
I agree that 8.14 is poorly written (and it was even
The first thing is that it's out of scope to address changes to things
that were in RFC 4871, which was approved by the working group, the
community, and the IESG in 2007, if it's simply a question of one or
two people not liking those things so much -- even if one or two of
those people now
On 6/29/2011 9:40 AM, John R. Levine wrote:
RFC 4871 is full of gratuitous and often wrong advice on everything from
APIs to MUA design to key management. 4871bis got rid of some of it, but
there's still a lot left. If Pete can force us to strip out more of the
gratuitous stuff and stick
On 6/29/11 11:20 AM, Charles Lindsey wrote:
I agree that 8.14 is poorly written (and it was even worse a while back).
However, there most certainly IS an attack here, which is NOT the same as
the related attack discussed in 8.15, and cannot be prevented by putting
extra entries in the 'h='
On 6/29/2011 11:49 AM, Pete Resnick wrote:
Now*that's* the attack. But it's NOT AN ATTACK ON DKIM! It's an attack
So?
The original directive to produce a threats analaysis was for threats to
recipients that DKIM might help remedy.
Clearly, techniques later designed to circumvent or
-Original Message-
From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org]
On Behalf Of Dave CROCKER
Sent: Wednesday, June 29, 2011 11:56 AM
To: Pete Resnick
Cc: DKIM
Subject: Re: [ietf-dkim] Pete's review of 4871bis
If I missed it, I apologize, but have you
Hi John,
At 09:40 29-06-2011, John R. Levine wrote:
there's still a lot left. If Pete can force us to strip out more of the
gratuitous stuff and stick to telling people how to do reliably
interoperable signing and verification, the actual standards part of the
standard, he'll be doing everyone a
Folks,
I've been reviewing 4871bis for the IESG review on Thursday. I've got a
huge number of comments. Some of them (e.g., the first two below) are
quite trivial or simple issues that I expect you'd either have no issue
with or that I'm happy to ignore; some of them are clearly not trivial
17 matches
Mail list logo
