IETF Logo Mail Archive

Re: [ietf-dkim] Comments on draft-ietf-dkim-rfc4871bis-02

"Murray S. Kucherawy" <msk@cloudmark.com> Thu, 21 October 2010 20:48 UTC

Return-Path: <ietf-dkim-bounces@mipassoc.org>
X-Original-To: ietfarch-ietf-dkim-archive@core3.amsl.com
Delivered-To: ietfarch-ietf-dkim-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9DDFB3A6847 for <ietfarch-ietf-dkim-archive@core3.amsl.com>; Thu, 21 Oct 2010 13:48:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.969
X-Spam-Level:
X-Spam-Status: No, score=-105.969 tagged_above=-999 required=5 tests=[AWL=0.630, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4axHtV0uZYLQ for <ietfarch-ietf-dkim-archive@core3.amsl.com>; Thu, 21 Oct 2010 13:48:41 -0700 (PDT)
Received: from sbh17.songbird.com (sbh17.songbird.com [72.52.113.17]) by core3.amsl.com (Postfix) with ESMTP id 427803A67B3 for <ietf-dkim-archive@ietf.org>; Thu, 21 Oct 2010 13:48:41 -0700 (PDT)
Received: from sbh17.songbird.com (sbh17.songbird.com [127.0.0.1]) by sbh17.songbird.com (8.13.8/8.13.8) with ESMTP id o9LKmxJN024064; Thu, 21 Oct 2010 13:49:05 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=mipassoc.org; s=k00001; t=1287694148; bh=HgwK7n3JSKD6R7wYPC6BbRWaPw4=; h=From:To:Date: Message-ID:References:In-Reply-To:MIME-Version:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: Content-Type:Content-Transfer-Encoding:Sender; b=hPHZy9+LsdCkyAV1S CNdhJw2Lk5NobEQ33SBCau7egYIe/teUZEcuMY0k/QugdQjT3Hl8SAcz6P/+e1ZnzVI Hv/dVHNk+RE9c1bIEONZqiVMLVW8ZVH+9/uliENslJ/1yAjCS0J6zIF7X8Ts1cf+tN6 pvE8a60Nrfei7HI1SOeI=
Received: from ht2-outbound.cloudmark.com (ht2-outbound.cloudmark.com [72.5.239.36]) by sbh17.songbird.com (8.13.8/8.13.8) with ESMTP id o9LKmqjj024053 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=FAIL) for <ietf-dkim@mipassoc.org>; Thu, 21 Oct 2010 13:48:57 -0700
Received: from EXCH-C2.corp.cloudmark.com ([172.22.1.74]) by spite.corp.cloudmark.com ([172.22.10.72]) with mapi; Thu, 21 Oct 2010 13:48:51 -0700
From: "Murray S. Kucherawy" <msk@cloudmark.com>
To: "ietf-dkim@mipassoc.org" <ietf-dkim@mipassoc.org>
Date: Thu, 21 Oct 2010 13:48:51 -0700
Thread-Topic: [ietf-dkim] Comments on draft-ietf-dkim-rfc4871bis-02
Thread-Index: Actv0451xNmYsQD8SUir9sKF7YTzVwBjHitg
Message-ID: <F5833273385BB34F99288B3648C4F06F1340E63ADE@EXCH-C2.corp.cloudmark.com>
References: <6.2.5.6.2.20101019121022.0bfa1898@elandnews.com>
In-Reply-To: <6.2.5.6.2.20101019121022.0bfa1898@elandnews.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
MIME-Version: 1.0
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0 (sbh17.songbird.com [127.0.0.1]); Thu, 21 Oct 2010 13:49:08 -0700 (PDT)
X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (sbh17.songbird.com [72.52.113.70]); Thu, 21 Oct 2010 13:48:57 -0700 (PDT)
X-MIME-Autoconverted: from quoted-printable to 8bit by sbh17.songbird.com id o9LKmqjj024053
Subject: Re: [ietf-dkim] Comments on draft-ietf-dkim-rfc4871bis-02
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-dkim-bounces@mipassoc.org
Errors-To: ietf-dkim-bounces@mipassoc.org

> -----Original Message-----
> From: ietf-dkim-bounces@mipassoc.org [mailto:ietf-dkim-bounces@mipassoc.org] On Behalf Of SM
> Sent: Tuesday, October 19, 2010 2:19 PM
> To: ietf-dkim@mipassoc.org
> Subject: [ietf-dkim] Comments on draft-ietf-dkim-rfc4871bis-02
> 
> Hello,
> 
> I commented on draft-ietf-dkim-rfc4871bis-01 previously (
> http://mipassoc.org/pipermail/ietf-dkim/2010q4/014696.html ).
> 
> draft-ietf-dkim-rfc4871bis-02 obsoletes RFC 4871.  RFC 5672 updates
> RFC 4871.  Why is the "RFC 4871 DomainKeys Identified Mail (DKIM)
> Signatures -- Update" document not being obsoleted by this document?

That sounds right to me.

> In the Introduction Section:
> 
>    "DomainKeys Identified Mail (DKIM) permits a person, role, or
>     organization that owns the signing domain to claim some
>     responsibility for a message by associating the domain with the
>     message."
> 
> Dave proposed a change to add a RFC 1034 reference in that sentence.
> 
>     DomainKeys Identified Mail (DKIM) permits a person, role, or
>     organization that owns the signing domain to claim some
>     responsibility for a message  [RFC5322] by associating the domain
>     name [RFC1034] with the message.
> 
> I suggest adding a reference to RFC 5322 in there to make it clear
> what "message" is.

I forget; does the email architecture document talk about the difference between a DNS domain and an ADMD?  This was an issue during the IESG evaluation of Authentication-Results and I seem to recall it being a place to which readers could be referred to learn the difference.  Maybe changing "domain" to "DNS domain" would be appropriate, and also changing the RFC1034 reference to point at RFC5598?

> As I mentioned previously, in Section 3.3:
> 
>     "In general, sha256 should always be used whenever possible."
> 
> That text was in RFC 4871 too as part of the informative note.  Could
> it be removed to avoid any dilution of the SHOULD in the "Signers
> MUST implement and SHOULD sign using rsa-sha256" sentence?

The OpenDKIM stats shows that SHA1 is still in very widespread use, both by domain counts and by aggregate message counts.  Trying to force DS to talk only about SHA256 would mean alienating half or more of the current install base, and we felt that was probably a bad idea.

> In Section 3.3.3:
> 
>       "The practical constraint that large (e.g., 4096 bit) keys may not
>        fit within a 512-byte DNS UDP response packet"
> 
> Could a normative reference to RFC 1035 be added in that sentence?
> 
>        The practical constraint that large (e.g., 4096 bit) keys may not
>        fit within a 512-byte DNS UDP response packet [RFC1035]

Seems reasonable to me, though I don't think it needs to be normative since that text is discussion rather than protocol specification.

> I'll mention it again; in Section 3.5 for the d= tag:
> 
>     "Internationalized domain names MUST be encoded as described in
>      [RFC3490]."
> 
> And i= tag:
> 
>     "Internationalized domain names MUST be converted using the steps
>      listed in Section 4 of [RFC3490] using the "ToASCII" function."
> 
> Is there a reason why this working group requires that a document
> with an intended status of "Draft Standard" should have a normative
> reference to a RFC that has been obsoleted?

I can't remember the disposition of this, but I think the problem is that we want to use ToASCII while no current (i.e. not obsolete) document contains a definition of it.  I seem to recall one of the other co-authors looking into it and finding this was acceptable, but I don't recall.  Dave, can you comment?

> In Section 5.3:
> 
>    "Similarly, a message that is not compliant with RFC5322, RFC2045
>     correct or interpret such content."
> 
> I do not understand that sentence.

XML error.  Dave already posted what that was supposed to be.

>   "Therefore, a verifier SHOULD NOT validate a message that is
>     not conformant."
> 
> That sounds like good advice.
> 
> According to draft-ietf-dkim-implementation-report-03, the
> interoperability and testing event was held in 2007.  Was the above
> requirement tested during that event?  If this working group wants to
> add such a requirement, I suggest setting the intended status of
> draft-ietf-dkim-rfc4871bis to "Proposed Standard".

I don't recall it being tested specifically.  And I don't have a good sense about whether the addition of this normative requirement would require a recycle or not.  I defer to those more experienced than me.

> In Section 5.5:
> 
>    "Verifiers MUST be capable of verifying signatures even
>     if one or more of the recommended header fields is not signed
>     (with the exception of From, which must always be signed)"
> 
> Is the last "must" a requirement?

No, I think it's simply an informative back-reference to another specified requirement.  Maybe changing "must always" to "always has to" would clear that up.

> draft-ietf-dkim-rfc4871bis has an informative reference to RFC
> 5451.  I note that the draft uses the "X-Authentication-Results"
> header field line.

Yes, that should be fixed.

Thanks,
-MSK

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

v2.23.0 | Report a Bug | By Email