Hi John, Barry,
At 13:52 06-05-2011, John C Klensin wrote:
The references (DKIM, PGP, S/MIME) are all downward but
distinctly informative. I don't know how to add the text John
Leslie suggested (modified or not) without putting in references
I'm fine if the references are informative. FWIW, I used down-ref as
meaning a reference which is "Normative". I gather that it is the
text suggested by John Levine and not John Leslie.
of some sort -- if we don't do it and the IESG doesn't notice,
the RFC Editor is likely to do so, resulting in an AUTH48
battle. By talking about signatures or the even more generic
"message integrity checks", my original suggestion is better
from a referencing standpoint but probably worse from every
other one.
I avoid flights under the radar. :-)
So I see three possible reasonable solutions:
(1) Stay more or less with the text that now appears in
4409bis-00 and tolerate the downward reference.
(2) Drop the new text and say nothing. The piece of
Section 8 that you quote is fairly clear, there wasn't a
request to add specific signature text during the
pre-evaluation work, and the new clarification, while
motivated by EAI, adds nothing new: while address and
header coding changes could cause issues for DKIM
signatures, 4409 (especially in the presence of the 4141
extensions explicitly authorized for Submit by the 4409
pre-evaluation document) could rather thoroughly mess up
PGP or S/MIME signatures over body parts. So, if our
theory is that if something isn't seriously broken,
isn't causing demonstrable problems or confusion, and
isn't reflected in the pre-evaluation document, we don't
change it, then we should drop this.
Section 8 is about "specific problems that have clear
solutions". The change for PGP or S/MIME signatures was not raised
during the pre-evaluation work. I read that as something isn't
seriously broken or there isn't a clear solution.
Header and body changes can cause issues for DKIM signatures. The
advice given is that:
"sites SHOULD consider what effect message modifications will have
on the validity of the signature, and MAY use the presence or
absence of a signature as a criterion when deciding what, if any,
modifications to make".
Now I have to decide which message modifications mentioned in the
sub-sections can be useful depending on whether there is a signature
or not. It may be a departure from clear solutions.
(3) Really explain the issues with signed messages and,
in particular, define the rules under which MSAs can
process various sorts of messages that come to them
already signed. Those rules would change several things
in Sections 4, 5, 6, and 8 into "MUST NOT unless you
have the private key and are ready to reconstruct the
signature". Note that this is a relatively large piece
of work that arguably imposes new requirements, i.e., it
would immediately take the document out of YAM's scope.
In an perfect world, I would pick the this alternative. Fortunately,
such changes are out of scope for YAM.
At 14:22 06-05-2011, Barry Leiba wrote:
I don't see the issue here. We don't worry about "downrefs" for
non-normative references. I don't understand SM's concern.
I was thinking of normative references.
Best regards,
-sm
_______________________________________________
yam mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/yam
