----- Original Message ----- From: "Frank Ellermann" <[EMAIL PROTECTED]>
> Douglas Otis wrote: > > [base-00 3.5 x=] > > The MUST in the draft may be a bit harsh. > > Yes, s/MUST/SHOULD/ makes sense, e.g. if a MUA behind IMAP > wants to check signatures. And what if they do not? What if it isn't behind IMAP. Maybe its online web mail system or just good old POP3 or both? I personally don't have a problem with a change to "SHOULD" or "MAY" recommendation, but rested assured, this (bad expiration) will be one or many guarantee form of exploitation. So a relaxation should be couple with a hindsight about the high probably consequences of passing the buck of bad or expired keys to the user. All an X= relaxation does is put added pressures at various points in the system. Also, there might be indirect association with this section and the threat 4.1.10 "use of revoked keys" and DNS TTL timing issues. -- Hector Santos, Santronics Software, Inc. http://www.santronics.com _______________________________________________ NOTE WELL: This list operates according to http://dkim.org/ietf-list-rules.html
