On 08/12/2022 23:07, John R Levine wrote:
I've submitted an -07 draft that incorporates all of the suggestions I
could figure out how to use. It is reorganized, removes all the advice
about when to delete messages, and has a new security section noting
some of the annoying things people might try to do with Expires: headers.
https://datatracker.ietf.org/doc/draft-billon-expires/
Better.
I see this as an update to RFC4021 and may be RFC2156.
I think the wording is still a bit rough. RFC4021 uses the phrase
'loses its validity'
which I think better than 'valueless'. The message may well have value,
may be to an attacker, even when it is no longer valid.
Treating multiple 'expires' as none seems unusual to me; with routing
protocols I am used to the first being acted on and the rest ignored. I
know of some message headers which are almost always present multiple
times and all are valid!
'expired' appears in several places and again seems a a bit rigid. I
would prefer something like
for which the 'expires' date and time is in the past
or some such
'determine not do'
perhaps 'to'
Security Considerations I find much better. If I had a more evil mind,
I suspect I might come up with some more possibilities.
Tom Petch
Regards,
John Levine, johnl@xxxxxxxxx, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
