[ietf-dkim] Proposed 1368 wording draft 1
Stephen Farrell
stephen.farrell at cs.tcd.ie
Fri Mar 2 09:45:12 PST 2007
Thanks Phill,
Since Mike has to get -03 out by Monday I've asked him to include
(some version of) your text in that and we can do a strawpoll on
its inclusion/exclusion later on. (There isn't time before the
cutoff now.)
Once -03 has issued I'll start that strawpoll so we should have
a reasonable picture of the WG opinion before Prague unless there's
a major backlog with the I-Ds,
Cheers,
Stephen.
Hallam-Baker, Phillip wrote:
> Since we are drafting a requirement here we do not need to give the explanation in the detail given on the list.
>
> The signing policy statement MUST be capable of fully describing a signing practice in which multiple signatures are always provided such that the policy is of utility to any verifier is capable of verifying any of the signatures that are always provided.
>
> Such a mechanism MUST NOT
> * Require the verifier to perform any additional DNS lookups.
> * Require duplication of configuration data
> * In particular not require the policy record to provide for the
> description of any cryptographic or cannonicalization algorithm
>
> Rationale: The ability to specify multiple signatures is necessary in order to permit orderly transitions to new cryptographic and canonicalization algorithms. Unless the policy language is not sufficiently expressive to allow the signer to describe the actual signature practice in this case there is an opportunity for an attacker to exploit the fact that there are verifiers that do not yet support the new algorithm.
>
>
>
> _______________________________________________
> NOTE WELL: This list operates according to
> http://mipassoc.org/dkim/ietf-list-rules.html
>
More information about the ietf-dkim
mailing list