[ietf-dkim] Base-02 //Deprecated Signature Version & New List

[Paul Hoffman]

At 5:46 AM -0700 6/25/06, Douglas Otis wrote:
>This next I-D offers a much simpler
>solution from the prior suggestion.

No, it doesn't; it is more complex.

>Full upgrade of SMTP will
>require years.  How does this provision accommodate this possible need?

Making absurd statements does not make the WG want to revisit the 
problem. There is no need to "upgrade SMTP" in the case of an 
algorithm transition for some DKIM implementations.

>This is a security related work group.

Exactly. In a security working group, there needs to be a consensus 
about the threat model for the use case of the protocol. This WG has 
agreed on the threat model, and has designed the protocol around that 
threat model. No analysis of the protocol has shown that the proposed 
protocol does not match the agreed-to threat model.

The fact that one person disagrees with the agreed-to threat model, 
and repeatedly tries to get people interested in his threat model, is 
bothersome but irrelevant.

It is also worth noting that this part of the threat model (algorithm 
transition) agreed to by this working group is the same as the threat 
model used in other IETF security protocols.

>Am
>I right about the possible problem ahead with a transition?

It is not a question of right or wrong; it is a question of perceived 
threats. Yours differs from the rest of the working group, and from 
those of the people who designed most (all?) other significant 
security protocols.