IETF Logo Mail Archive

Re: [yam] Russ Housley's Discuss on draft-ietf-yam-rfc4409bis-02: (with DISCUSS)

S Moonesamy <sm+ietf@elandsys.com> Tue, 23 August 2011 20:04 UTC

Return-Path: <sm@elandsys.com>
X-Original-To: yam@ietfa.amsl.com
Delivered-To: yam@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD6E821F8D2B; Tue, 23 Aug 2011 13:04:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.613
X-Spam-Level:
X-Spam-Status: No, score=-102.613 tagged_above=-999 required=5 tests=[AWL=-0.014, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a+upZCkGUyd8; Tue, 23 Aug 2011 13:04:28 -0700 (PDT)
Received: from mail.elandsys.com (mail.elandsys.com [208.69.177.125]) by ietfa.amsl.com (Postfix) with ESMTP id 10BE821F8D25; Tue, 23 Aug 2011 13:04:28 -0700 (PDT)
Received: from SUBMAN.elandsys.com ([41.136.238.32]) (authenticated bits=0) by mail.elandsys.com (8.13.8/8.13.8) with ESMTP id p7NK5GhZ008136; Tue, 23 Aug 2011 13:05:21 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=elandsys.com; s=mail; t=1314129925; bh=5N0Dn2TJCVxKHNSFJhX2XcLhPu8=; h=Message-Id:Date:To:From:Subject:Cc:In-Reply-To:References: Mime-Version:Content-Type; b=rA6/H14FYh3rcUgJAFhYcvJY4FtWrnsgZvX/ceTojkDNDrU5NXNpTiQL9GJLyFLYh R+V4WC6cm08BJW6QDgKN/EX1BvcgjboKBB1xqTPj8LFb49vnpY6paR1BNsiD+fR+NS cgdCnSGRd/lC4ats8K8NnDHvWWZYGpgpraT5QChc=
Message-Id: <6.2.5.6.2.20110823123557.0d863778@elandnews.com>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Tue, 23 Aug 2011 13:04:57 -0700
To: Russ Housley <housley@vigilsec.com>, The IESG <iesg@ietf.org>
From: S Moonesamy <sm+ietf@elandsys.com>
In-Reply-To: <20110822174540.26398.33846.idtracker@ietfa.amsl.com>
References: <20110822174540.26398.33846.idtracker@ietfa.amsl.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: richard Barnes <rbarnes@bbn.com>, draft-ietf-yam-rfc4409bis@tools.ietf.org, yam@ietf.org, yam-chairs@tools.ietf.org
Subject: Re: [yam] Russ Housley's Discuss on draft-ietf-yam-rfc4409bis-02: (with DISCUSS)
X-BeenThere: yam@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Yet Another Mail working group discussion list <yam.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yam>, <mailto:yam-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/yam>
List-Post: <mailto:yam@ietf.org>
List-Help: <mailto:yam-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yam>, <mailto:yam-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Aug 2011 20:04:28 -0000

Hi Russ,
At 10:45 22-08-2011, Russ Housley wrote:
>----------------------------------------------------------------------
>DISCUSS:
>----------------------------------------------------------------------
>
>
>   The specification says:
>
>     If an incoming message includes a DKIM [DKIM], PGP [RFC4880],
>     S/MIME [RFC5751], or other signature, sites SHOULD consider what
>     effect message modifications will have on the validity of the
>     signature, and MAY use the presence or absence of a signature as
>     a criterion when deciding what, if any, modifications to make.
>
>   This text is a warning that there are dragons here, but it does not
>   tell the reader anything about the real consequences.  I believe
>   that the text ought to be saying that portions of the incoming
>   message that are covered by the signature SHOULD NOT be altered.
>   The consequences of such alteration should probably be included in
>   the security considerations.

The YAM WG was asked for feedback about this issue.  Dave Crocker 
suggested the following text as a replacement for the text you quoted above:

    "Message modification can affect the validity of an existing message
     signature, such as by DKIM [DKIM], PGP [RFC4880], and can render the
     signature invalid.  This, in turn, can affect message handling by later
     receivers, such as filtering engines that consider the presence or absence
     of a signature."

The rationale for having the text is that "awareness of the 
possibility of signature-breaking is an important thing when 
implementing submit processors, so some text along these lines is 
useful advice.  The actual consequences are completely context-specific".

Ned Freed pointed out that "first and foremost, since "signature" is 
in general completely open-ended thing, recommending that signature 
preservation always be a priority over submit message processing is:

   (a) Impossible to implement since there's no way to tell the difference
       between a new signature scheme and some random collection of header
       fields, a new media type, or whatever and

   (b) A really bad idea since the use of a signature can (and sometimes does)
       conflict with the operational policies associated with a submit agent.
       And the latter can be a legal requirement in some venues.

There were several objections to the total removal of the text.

Based on the feedback received, I think the appropriate path is to 
have the text replaced.  Do you consider the proposed change as acceptable?

Regards,
S. Moonesamy

v2.23.0 | Report a Bug | By Email