On 10/03/2012 03:38 PM, Sam Hartman wrote: >>>>>> "Stephen" == Stephen Farrell <[email protected]> writes: > > Stephen> On 10/03/2012 02:58 PM, Sam Hartman wrote: > >> So, I'm a bit confused why we're discussing whether hop-by-hop > >> integrity is good enough. > > Stephen> I guess its at minimum a reaction to ignoring a signature. > Stephen> It may well be ok, but I think it needs justifying, if the > Stephen> WG go this way. > > I'd like to push back on this reaction in the strongest possible terms.
Push away. But note that my reaction has not been to say "don't do that" - I'm saying "justify that." Note also that we're moving away from abfab-specific things to generalities. > The idea that it's bad to ignore a signature, but it would be acceptable > to not have a signature at all decreases the value of signatures. Perhaps. Or maybe its that optionally-signed things decrease the value of signatures when those are present compared to always-signed things. > It > means that by adding a signature we decrease interoperability. That's definitely true. Adding any crypto decreases interop. > However > if the RP would accept an unsigned object, we gain no security > advantage. An RP could choose depending on the to-be-signed/unsigned value(s) and get a security advantage. For example, something along the lines of being ok with "local" stuff not being signed on the assumption that some border node will already have prevented a bad version of that arriving, but treating non-local signed or unsigned things differently. (For some definition of "local.") > I'd like to ask you to think about whether that reaction--the negative > response to ignoring a signature--is ever appropriate in a case where > the signature is optional. If so I'd like to understand why. I think it can be appropriate sometimes as per the above. Cheers, S. > > --Sam > > _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
