Last Call Review of draft-kucherawy-authres-header-b-
review-kucherawy-authres-header-b-secdir-lc-farrell-2010-06-10-00
| Request | Review of | draft-kucherawy-authres-header-b |
|---|---|---|
| Requested revision | No specific revision (document currently at 04) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2010-06-15 | |
| Requested | 2010-05-04 | |
| Authors | Murray Kucherawy | |
| I-D last updated | 2010-06-10 | |
| Completed reviews |
Secdir Last Call review of -??
by Stephen Farrell
|
|
| Assignment | Reviewer | Stephen Farrell |
| State | Completed | |
| Request | Last Call review on draft-kucherawy-authres-header-b by Security Area Directorate Assigned | |
| Completed | 2010-06-10 |
review-kucherawy-authres-header-b-secdir-lc-farrell-2010-06-10-00
Nice little document. (Which is much better than a nice big document:-) I see no substantive security issues here. Two nits below. I've no real problem if they're ignored. Stephen. 1. What if someone defines a MACing scheme for DKIM with a teensy-weensy MAC? There might be no way to get 8 characters then. Suggest allowing the full authenticator in that case if its <8 bytes long. Very unlikely but maybe worth a sentence. 2. Apppendix A says: "Presumably due to a change in one of the five header fields covered by the two signatures, the former signature failed to verify while the latter passed." I think that could only happen if they use different c14n, if so maybe say so. Or could be better to say the results may differ due for key mgmt reasons (e.g. an inaccessible public key) or because the signature values have been corrupted. Reason to prefer those is that they're more likely. (Or am I missing something?)