Hello,
Russ Housley, Area Director, posted the following DISCUSS about
Section 8 of draft-ietf-yam-rfc4409bis-02:
"The specification says:
If an incoming message includes a DKIM [DKIM], PGP [RFC4880],
S/MIME [RFC5751], or other signature, sites SHOULD consider what
effect message modifications will have on the validity of the
signature, and MAY use the presence or absence of a signature as
a criterion when deciding what, if any, modifications to make.
This text is a warning that there are dragons here, but it does not
tell the reader anything about the real consequences. I believe
that the text ought to be saying that portions of the incoming
message that are covered by the signature SHOULD NOT be altered.
The consequences of such alteration should probably be included in
the security considerations."
The "shepherding AD and the DISCUSSing AD agree that dropping the
paragraph in question is probably the easiest (and perhaps best)
course of action". I haven't discussed the matter with Tony yet. My
recommendation is to drop the last paragraph in Section 8.
If there are any objections, please come up with very convincing
arguments. It was pointed out that the text is not in RFC 4409. The
shepherding AD is "inclined to be *extremely* conservative about
changes" and I strongly agree with him.
Regards,
S. Moonesamy
YAM WG co-chair
_______________________________________________
yam mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/yam
