Re: Better DKIM Verification Example Needed



----- Original Message -----
From: "Michael Thomas" <mike(_at_)mtcc(_dot_)com>

Ok, I just checked out the issue that Arvel raised. If b= is terminated
by a semicolon (which would be the case if b= was in the middle
of the DKIM-Signature somewhere),  it MUST append the trailing
semicolon. That is, the rule is to remove the signature value itself,
not any syntactic markers. I've modified my code on mtcc.com to
append a trailing semicolon to the b= for folks to test against this --
both Murray's (sendmail) and Arvel's are working correctly.


Sounds "kludgy"   So if we wanted to provide examples, we would
now have:

Example #1:

   DKIM-Signature: a=rsa-sha1; d=example.net; s=brisbane;
      c=simple; q=dns; i=(_at_)eng(_dot_)example(_dot_)net;
      h=A:B;
      b=dzd.....YzR
   A: <SP> X <CRLF>
   B: <SP> Y <CRLF>
    <SP> Z <CRLF>
   <CRLF>
   C <CRLF>
   D <SP><TAB><SP> E <CRLF>

      is canonicalized to:

   a:X<CRLF>b:YZ<CRLF><CRLF>CDE
   <CRLF>dkim-signature:a=rsa-sha1;d=example.net;
   s=brisbane;c=simple;q=dns;i=(_at_)eng(_dot_)example(_dot_)net;h=A:B;b=


Example #2: with different b= location:

   DKIM-Signature: a=rsa-sha1; d=example.net; s=brisbane;
      c=simple; q=dns; i=(_at_)eng(_dot_)example(_dot_)net;
      b=dzd.....YzR;
      h=A:B;
   A: <SP> X <CRLF>
   B: <SP> Y <CRLF>
    <SP> Z <CRLF>
   <CRLF>
   C <CRLF>
   D <SP><TAB><SP> E <CRLF>

      is canonicalized to:

   a:X<CRLF>b:YZ<CRLF><CRLF>CDE
   <CRLF>dkim-signature:a=rsa-sha1;d=example.net;
   s=brisbane;c=simple;q=dns;i=(_at_)eng(_dot_)example(_dot_)net;b=;h=A:B

Is this correct?

In my technical opinion, we need to do as much as we can to stream line the
protocol.  The system parsing requirements is already complex as it is.
There is would be no harm in mandating a final tag "b=" location.   I think
it should be a *rule* for the b= signature tag to be the last tag added to
the DKIM-Signature: record.

I mean, why wouldn't it be the last item concatenated to a string. ALl the
other parts are part the hashing process.  Once the signature hash is
obtained, it just a simple matter of concatenating the "; b=signature"
component.

Hmmm,  maybe would look at the idea of a tag location where the
DKIM-Signature record hashing ends?  So that if anyone adds new tags, it
doesn't have to be part of the signing process?

Anyway, if the above is correct, I'll go ahead and add embedded "b=" parsing
as well..

PS: is the dkim-dev maling list active yet?  I haven't received any mail
from it yet.

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Better DKIM Verification Example Needed, (continued) Re: Better DKIM Verification Example Needed, Earl Hood Re: Better DKIM Verification Example Needed, Arvel Hathcock Re: Better DKIM Verification Example Needed, Michael Thomas Re: Better DKIM Verification Example Needed, Ned Freed Re: Better DKIM Verification Example Needed, Arvel Hathcock Re: Better DKIM Verification Example Needed, Earl Hood Re: Better DKIM Verification Example Needed, Hector Santos Re: Better DKIM Verification Example Needed, Michael Thomas Re: Better DKIM Verification Example Needed, Hector Santos Re: Better DKIM Verification Example Needed, Michael Thomas Re: Better DKIM Verification Example Needed, Hector Santos <= Re: Better DKIM Verification Example Needed, Arvel Hathcock Re: Better DKIM Verification Example Needed, Michael Thomas Re: Better DKIM Verification Example Needed, Arvel Hathcock Re: Better DKIM Verification Example Needed, Hector Santos

Previous by Date:	Re: alternate key server mechanisms, Douglas Otis
Next by Date:	Re: revised Proposed Charter, Jim Fenton
Previous by Thread:	Re: Better DKIM Verification Example Needed, Michael Thomas
Next by Thread:	Re: Better DKIM Verification Example Needed, Arvel Hathcock
Indexes:	[Date] [Thread] [Top] [All Lists]