--On Thursday, May 05, 2011 10:15 -0400 Jeff Macdonald
<[email protected]> wrote:
>...
> Should there be advice mentioning that such changes should be
> done before (or after?) such things as digital signing? I'm
> thinking PGP and SMIME.
Hmm.
I'm usually reluctant to start down the path of offering that
sort of advice because it is hard to know when to stop, hard to
be comprehensive, and may mislead the unwary. And, of course,
the implications of PGP and S/MIME (neither of which signs
headers) are rather different from those of DKIM (which does).
Perhaps an intermediate approach would be to insert a sentence
into the Security Considerations section that says,
approximately, that if a message arrives at the MSA with a
signature or any other sort of message integrity check, or the
MSA is expected to apply one, any actions must be applied with
extreme caution to ensure that the message that is sent out by
the submission server contains information consistent with the
message being sent.
Does that work? Does anyone want to suggest specific text?
Would such a statement be improved by a forward pointer from
Section 8.5? Anywhere else?
This also raises one other issue that apparently was not raised
in the pre-evaluation process. RFC 4141 provides specific
mechanisms and headers for content conversions of various sorts
by intermediaries who have no specific control relationship to
either the sender or the receiver. I believe that the
conversions contemplated there have always been permitted to
MSAs, even before we started explicitly documenting that fact in
RFC 2476. The new text (from the pre-evaluation document)
explicitly says that the 4141 extensions MAY be used with MSAs.
Should the document go a half-step further and indicate that
content conversions may still be applied by the MSA whether the
4141 extensions are specified or not and that an MSA MAY add
4141 header fields when it makes such conversions?
john
_______________________________________________
yam mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/yam
