Re: [yam] [secdir] secdir review of draft-ietf-yam-rfc1652bis-03

[S Moonesamy <sm+ietf@elandsys.com>]

Hi Alessandro,
At 03:38 05-03-10, Alessandro Vesely wrote:
>RFC 4871 is of 2007 and reports an issue with it. Section 5.3 
>practically says that 8bit SHOULD NOT be used. I'm not sure whether 
>this is a security consideration that would incarnate Stephen's 
>concern (also because, since the "relaxed" Header Canonicalization 
>Algorithm does not take into account quotes, /any/ rfc2045 extension 
>token breaks those signatures, not just 8BITMIME.)

Section 5.3 of RFC 4871 sounds more like a deployment consideration 
instead of a security consideration.

The question from Stephen Kent [1] in response to my comment mentions 
that "binary attachments that are ideal for delivering malware are 
supported irrespective of the use of" the 8BITMIME extension.  Dave 
Crocker requested input from the WG on the secdir review [2].  His 
message gives a broader view of the matter (i.e. whether the change 
is within scope for the YAM WG).  If you have any comments, I would 
like to hear them.  I am not saying this because it is required by 
the IETF Standards process; I mean it.  It is less work for me if 
such discussions do not diverge from the issue at hand.  My position 
is that an issue was brought up during the Secdir review and I need 
an answer for the Responsible Area Director and YAM WG Chairs.

I wrote some notes about hostile content ( temporary link 
http://www.elandsys.com/resources/mail/draft-moonesamy-mail-security-00.txt 
).  It is not meant to be used as input for YAM WG work.

Regards,
S. Moonesamy

1. http://www.ietf.org/mail-archive/web/yam/current/msg00368.html
2. http://www.ietf.org/mail-archive/web/yam/current/msg00370.html