Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification
draft-ietf-smime-3851bis-11
Yes
(Cullen Jennings)
(Ron Bonica)
(Russ Housley)
(Tim Polk)
No Objection
(Dan Romascanu)
(David Ward)
(Jon Peterson)
(Lars Eggert)
(Lisa Dusseault)
(Mark Townsley)
(Pasi Eronen)
(Ross Callon)
Note: This ballot was opened for revision 11 and is now closed.
Chris Newman Former IESG member
(was Discuss)
Yes
Yes
(2009-01-06)
Unknown
Section 2.5.1 > Sending agents MUST encode signing time through the year 2049 as > UTCTime; signing times in 2050 or later MUST be encoded as > GeneralizedTime. When the UTCTime CHOICE is used, S/MIME agents MUST ^^ ** I suggest the following text be added here: "The optional time zone offset component of UTCTime and GeneralizedTime MUST be included by sending agents." (see RFC 3339 section 4.4 for the reason) Section 3.1.1 > [MIME-SPEC]. The chosen charset SHOULD be named in the charset > parameter so that the receiving agent can unambiguously determine the > charset used. Why is this a SHOULD rather than a MUST? Perhaps the intent was to say ``If the chosen charset is not "us-ascii", it MUST be named in the charset parameter so that the receiving agent ...'' Section 3.2.2 > It is explicitly intended that this field be a suitable hint for mail > client applications to indicate whether a message is "signed" or > "encrypted" without having to tunnel into the CMS payload. ** Important security consideration: The mere presence of a message flagged by a user interface as "signed" or "encrypted" from a particularly important sender in a message list view can have security implications. For example, if a military communications officer receives a message with subject "change in orders" from the general that is flagged as signed in the user interface, this may cause the officer to interrupt another critical officer to view the message which may then turn out to be a forgery. Clients which display this hint in a user interface MUST provide an administrative option to ignore the hint and only display an indication that a message is signed/secure if the signature has actually been verified as valid. Section 3.4.3.2 ** These textual names disagree with the names in the IANA "Hash Function Textual Names" registry. I think that is unfortunate, but presume it is historical. I would like that to not happen for future hash function names. I suggest text similar to the following: Some of these hash function names are different from the names in the IANA "Hash Function Textual Names" registry. Receiving agents SHOULD also support the names in that registry. Future names for this parameter will be consistent with those in that registry. http://www.iana.org/assignments/hash-function-text-names/ Question for IESG/authors: should this document register "unknown" or suggest an "x-" naming convention? Section 5.1 ** As you recommend generation of a "name" parameter for this media type, it needs to be listed in the registration template as an optional parameter. Section 6 > This specification uses Public-Key Cryptography technologies. It is > assumed that the private is protected to ensure that it is not ^ key
Cullen Jennings Former IESG member
Yes
Yes
()
Unknown
Ron Bonica Former IESG member
Yes
Yes
()
Unknown
Russ Housley Former IESG member
Yes
Yes
()
Unknown
Tim Polk Former IESG member
Yes
Yes
()
Unknown
Dan Romascanu Former IESG member
(was Discuss, No Objection, Discuss)
No Objection
No Objection
()
Unknown
David Ward Former IESG member
No Objection
No Objection
()
Unknown
Jari Arkko Former IESG member
No Objection
No Objection
(2009-01-08)
Unknown
Diffs to the original RFC are here: http://www.arkko.com/ietf/smime/draft-ietf-smime-3851bis-08-from-rfc3851.diff.html
Jon Peterson Former IESG member
No Objection
No Objection
()
Unknown
Lars Eggert Former IESG member
No Objection
No Objection
()
Unknown
Lisa Dusseault Former IESG member
No Objection
No Objection
()
Unknown
Mark Townsley Former IESG member
No Objection
No Objection
()
Unknown
Pasi Eronen Former IESG member
No Objection
No Objection
()
Unknown
Ross Callon Former IESG member
No Objection
No Objection
()
Unknown