Re: [yam] [secdir] secdir review of draft-ietf-yam-rfc1652bis-03

Alessandro Vesely <vesely@tana.it> Fri, 05 March 2010 11:38 UTC

Return-Path: <vesely@tana.it>
X-Original-To: yam@core3.amsl.com
Delivered-To: yam@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 478193A8F68 for <yam@core3.amsl.com>; Fri, 5 Mar 2010 03:38:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.641
X-Spam-Level:
X-Spam-Status: No, score=-4.641 tagged_above=-999 required=5 tests=[AWL=0.078, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id soh2C0inKBPg for <yam@core3.amsl.com>; Fri, 5 Mar 2010 03:38:07 -0800 (PST)
Received: from wmail.tana.it (www.tana.it [62.94.243.226]) by core3.amsl.com (Postfix) with ESMTP id B4AE83A8F62 for <yam@ietf.org>; Fri, 5 Mar 2010 03:38:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tana.it; s=test; t=1267789084; bh=wM0RuLK2AnVx20Y+iKV9oLxtBCw059SeAaq/BUSm9/o=; l=582; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To: Content-Transfer-Encoding; b=ay1B9Ddk8+C7/l1le/mwQcNjiCb2FduUNgG80I/bO4AGSoaoWeZGAVhgis07RK2K+ 6TgBMXbzeV3UF0KYFvHU63b+kntH7i4zB627DcsiKhMyPs+fpeu+HgKGvQEH/E/9yO sJEEP0WKEH2n7C8EomJ107QsFXNxpuRNwNmLYgpI=
Received: from [172.25.197.158] (pcale.tana [172.25.197.158]) (AUTH: CRAM-MD5 515, TLS: TLS1.0,256bits,RSA_AES_256_CBC_SHA1) by wmail.tana.it with ESMTPSA; Fri, 05 Mar 2010 12:38:04 +0100 id 00000000005DC02F.000000004B90ED1C.0000438B
Message-ID: <4B90ED1C.8040905@tana.it>
Date: Fri, 05 Mar 2010 12:38:04 +0100
From: Alessandro Vesely <vesely@tana.it>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3
MIME-Version: 1.0
To: yam@ietf.org
References: <4B8E515A.6060608@isode.com> <6.2.5.6.2.20100303103218.0ba092a0@resistor.net>
In-Reply-To: <6.2.5.6.2.20100303103218.0ba092a0@resistor.net>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [yam] [secdir] secdir review of draft-ietf-yam-rfc1652bis-03
X-BeenThere: yam@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Yet Another Mail working group discussion list <yam.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/yam>, <mailto:yam-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/yam>
List-Post: <mailto:yam@ietf.org>
List-Help: <mailto:yam-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yam>, <mailto:yam-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Mar 2010 11:38:09 -0000

>> This is a very, very brief document that is targeted to obsolete RFC 1652.
>
> Please note that there hasn't been any reports of security issues with this 16 year old specification.

RFC 4871 is of 2007 and reports an issue with it. Section 5.3 
practically says that 8bit SHOULD NOT be used. I'm not sure whether 
this is a security consideration that would incarnate Stephen's 
concern (also because, since the "relaxed" Header Canonicalization 
Algorithm does not take into account quotes, /any/ rfc2045 extension 
token breaks those signatures, not just 8BITMIME.)