Re: S/MIME v3.2 IDs key size text (resend, no signature)

[Paul Hoffman <phoffman@xxxxxxx>]

At 1:43 PM -0500 5/12/08, Timothy J Miller wrote:
> On May 12, 2008, at 11:49 AM, Paul Hoffman wrote:
> > > When feasible, sending and receiving agents SHOULD inform senders (prior
> > > to transmission) and recipients of the relative cryptographic strength of
> > > messages and SHOULD provide a warning if weak algorithms or key sizes are
> > > used.
> >
> > I'm lost here. Using the protocol described in the document, how 
> > would I send such information? How would I send such a warning?
>
> Yet similar advice exists elsewhere in the cert handling spec:
>
> """
> A receiving agent SHOULD provide some explicit alternate processing 
> of the message if this comparison     fails, which may be to display 
> a message that shows the recipient the addresses in the certificate 
> or other certificate details.
> """  (ref: sec 3)

Only somewhat similar. Tony's proposed changes has a "SHOULD inform" 
and a "SHOULD provide a warning". The quoted test is "SHOULD provide 
alternate processing" which may be displaying a message. That's a big 
difference.

> Are you saying that this should come out as well, since your 
> objection to the RFC advising implementors to warn users re: key 
> strength clearly also applies to the RFC advising implementors re: 
> an email mismatch?

Nope. I have nothing against advising implementers. Heck, I've 
written a lot of the text that does that. What I object to is a 
SHOULD-level "inform" or "provide a warning" when we have no 
protocol-standard way of doing so.