Hi Alessandro,
At 03:38 05-03-10, Alessandro Vesely wrote:
RFC 4871 is of 2007 and reports an issue with it. Section 5.3
practically says that 8bit SHOULD NOT be used. I'm not sure whether
this is a security consideration that would incarnate Stephen's
concern (also because, since the "relaxed" Header Canonicalization
Algorithm does not take into account quotes, /any/ rfc2045 extension
token breaks those signatures, not just 8BITMIME.)
Section 5.3 of RFC 4871 sounds more like a deployment consideration
instead of a security consideration.
The question from Stephen Kent [1] in response to my comment mentions
that "binary attachments that are ideal for delivering malware are
supported irrespective of the use of" the 8BITMIME extension. Dave
Crocker requested input from the WG on the secdir review [2]. His
message gives a broader view of the matter (i.e. whether the change
is within scope for the YAM WG). If you have any comments, I would
like to hear them. I am not saying this because it is required by
the IETF Standards process; I mean it. It is less work for me if
such discussions do not diverge from the issue at hand. My position
is that an issue was brought up during the Secdir review and I need
an answer for the Responsible Area Director and YAM WG Chairs.
I wrote some notes about hostile content ( temporary link
http://www.elandsys.com/resources/mail/draft-moonesamy-mail-security-00.txt
). It is not meant to be used as input for YAM WG work.
Regards,
S. Moonesamy
1. http://www.ietf.org/mail-archive/web/yam/current/msg00368.html
2. http://www.ietf.org/mail-archive/web/yam/current/msg00370.html
_______________________________________________
yam mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/yam
