IETF Logo Mail Archive

Re: [yam] Russ Housley's Discuss on draft-ietf-yam-rfc4409bis-02: (with DISCUSS)

Russ Housley <housley@vigilsec.com> Wed, 24 August 2011 14:05 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: yam@ietfa.amsl.com
Delivered-To: yam@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 725C121F8B12; Wed, 24 Aug 2011 07:05:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tCCDv6ezhQwW; Wed, 24 Aug 2011 07:05:03 -0700 (PDT)
Received: from odin.smetech.net (mail.smetech.net [208.254.26.82]) by ietfa.amsl.com (Postfix) with ESMTP id B8E4A21F8AAF; Wed, 24 Aug 2011 07:05:03 -0700 (PDT)
Received: from localhost (unknown [208.254.26.81]) by odin.smetech.net (Postfix) with ESMTP id CC694F240BD; Wed, 24 Aug 2011 10:06:36 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([208.254.26.82]) by localhost (ronin.smetech.net [208.254.26.81]) (amavisd-new, port 10024) with ESMTP id nogrPNp-NC5O; Wed, 24 Aug 2011 10:05:59 -0400 (EDT)
Received: from [10.100.10.32] (unknown [70.103.214.194]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 479D7F2406C; Wed, 24 Aug 2011 10:06:33 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <6.2.5.6.2.20110823123557.0d863778@elandnews.com>
Date: Wed, 24 Aug 2011 10:06:07 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <D41B604F-9452-4F9F-80BA-1FE5B74B171E@vigilsec.com>
References: <20110822174540.26398.33846.idtracker@ietfa.amsl.com> <6.2.5.6.2.20110823123557.0d863778@elandnews.com>
To: S Moonesamy <sm+ietf@elandsys.com>
X-Mailer: Apple Mail (2.1084)
X-Mailman-Approved-At: Wed, 24 Aug 2011 07:20:10 -0700
Cc: richard Barnes <rbarnes@bbn.com>, draft-ietf-yam-rfc4409bis@tools.ietf.org, The IESG <iesg@ietf.org>, yam-chairs@tools.ietf.org, yam@ietf.org
Subject: Re: [yam] Russ Housley's Discuss on draft-ietf-yam-rfc4409bis-02: (with DISCUSS)
X-BeenThere: yam@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Yet Another Mail working group discussion list <yam.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yam>, <mailto:yam-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/yam>
List-Post: <mailto:yam@ietf.org>
List-Help: <mailto:yam-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yam>, <mailto:yam-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Aug 2011 14:05:04 -0000

SM:

Thanks for facilitating this discussion.

As Dave well knows, the presence of an invalid signature is different than no signature at all.  The technical community keeps telling implementors that they are not really different, but folks that writ code seem to think otherwise.  The proposed text does not say anything about the signature validity,  At a minimum, is should say "...of a valid signature."

I can live with this compromise.

Russ


On Aug 23, 2011, at 4:04 PM, S Moonesamy wrote:

> Hi Russ,
> At 10:45 22-08-2011, Russ Housley wrote:
>> ----------------------------------------------------------------------
>> DISCUSS:
>> ----------------------------------------------------------------------
>> 
>> 
>>  The specification says:
>> 
>>    If an incoming message includes a DKIM [DKIM], PGP [RFC4880],
>>    S/MIME [RFC5751], or other signature, sites SHOULD consider what
>>    effect message modifications will have on the validity of the
>>    signature, and MAY use the presence or absence of a signature as
>>    a criterion when deciding what, if any, modifications to make.
>> 
>>  This text is a warning that there are dragons here, but it does not
>>  tell the reader anything about the real consequences.  I believe
>>  that the text ought to be saying that portions of the incoming
>>  message that are covered by the signature SHOULD NOT be altered.
>>  The consequences of such alteration should probably be included in
>>  the security considerations.
> 
> The YAM WG was asked for feedback about this issue.  Dave Crocker suggested the following text as a replacement for the text you quoted above:
> 
>   "Message modification can affect the validity of an existing message
>    signature, such as by DKIM [DKIM], PGP [RFC4880], and can render the
>    signature invalid.  This, in turn, can affect message handling by later
>    receivers, such as filtering engines that consider the presence or absence
>    of a signature."
> 
> The rationale for having the text is that "awareness of the possibility of signature-breaking is an important thing when implementing submit processors, so some text along these lines is useful advice.  The actual consequences are completely context-specific".
> 
> Ned Freed pointed out that "first and foremost, since "signature" is in general completely open-ended thing, recommending that signature preservation always be a priority over submit message processing is:
> 
>  (a) Impossible to implement since there's no way to tell the difference
>      between a new signature scheme and some random collection of header
>      fields, a new media type, or whatever and
> 
>  (b) A really bad idea since the use of a signature can (and sometimes does)
>      conflict with the operational policies associated with a submit agent.
>      And the latter can be a legal requirement in some venues.
> 
> There were several objections to the total removal of the text.
> 
> Based on the feedback received, I think the appropriate path is to have the text replaced.  Do you consider the proposed change as acceptable?
> 
> Regards,
> S. Moonesamy

v2.23.0 | Report a Bug | By Email