he he... I have to disagree with Jon here. Including the body in the
signature calculation is a measure designed to protect the content of the
body as the opening of our draft states. One of the benefits of crypto
solutions over path based is that crypto can at least attempt to say
something about the integrity of the message content whereas path can not.
If DKIM is not designed to provide a level of content protection why include
the body content in the signature calculation at all when excluding it would
certainly clear up a few problems? We _want_ the body included because it
can be protected. It's not included simply to have something to feed into
the hash algorithm. It's there because the signing process can provide a
real, valuable, usable measure of protection (not perfect but nevertheless
real and usable).
--
Arvel Hathcock
CEO, Alt-N Technologies, Ltd.
Helping the World Communicate!
http://www.altn.com
-----Original Message-----
From: Jon Callas <jon(_at_)callas(_dot_)org>
To: Earl Hood <earl(_at_)earlhood(_dot_)com>
Cc: ietf-mailsig(_at_)imc(_dot_)org
Date: Tue, 19 Jul 2005 15:11:33 -0700
Subject: Re: DKIM: Canonicalization
On 18 Jul 2005, at 1:44 PM, Earl Hood wrote:
Yes! Since DKIM makes allows digitally signing of message bodies,
there is an implicit indication that message content can be
"protected"
via DKIM.
I have to disagree here, as a DKIM author, OpenPGP author, and
OpenPGP
implementer (and soon to be DKIM implementer).
The whole point of DKIM is *envelope* protection, not body
protection.
Yes, envelope is metaphorical, and implementation-wise, you have to
sign the body to sign the envelope, but the whole point of DKIM is
that
you know the source of the message where the source is an
administrative domain, and not any content signing.
Let me give a bit more of a metaphorical explanation.
Imagine that I send you a letter, and I have signed over the seal of
the envelope. Imagine inside that envelope, there is a signed letter.
DKIM is the external signature, OpenPGP and S/MIME are the internal
signature.
It seems some comments on this list indicate that such protection
is not to be as solid as S/MIME or OpenPGP, but a "fuzzy" form of
protection, that is not well-defined (a security red flag).
It's not fuzzy at all. It's very well defined. It is however, not
what
traditionally digital signatures have been used for. It is for
authenticity, rather than authentication.
IMHO, I think this is a bad way to go. If digital signatures of
body
parts are to be supported, it should be done with the assumption
that such signatures will be used to verify the integrity of the
content in the way digital signatures are normally used. If not,
people will probably use it that way anyway.
Unfortunately, the email world tolerates transmission variance,
something that digital signatures do not like. Therefore, the
debate is what is an acceptable level of variance allowed that
gives us an acceptable level of security risk.
What you are describing above is an anti-goal of DKIM. DKIM does not
sign the letter.
Jon