My understanding is that your canonicalization algorithm, in order to
prepare the hash stream, had the signer build the partial form of their
own "signed" header, by canonicalizing the header list among other things
until they had the form without the signature, and that this would be
included in the hash stream.
Is this not correct? Such a step is a non-necessary complexity. If
the header list is tampered with, the signature will be immediately
invalidated anyway.
No it is essential (and it is in pgpverify too).
From: <good-guy>
Message-Id: <fkew;lwfkew;kf>
Signed: foobar From,Message-ID,Reply-To
rdskfrekerkgkrf;vker;
erkgvc,g[er5krlv;dllerpk';cd';lc';welv';r,';
Now a malicious interloper gets in the way and changes the message:
From: <good-guy>
Message-Id: <fkew;lwfkew;kf>
Reply-To: <bad-guy>
Signed: foobar From,Message-ID
rdskfrekerkgkrf;vker;
erkgvc,g[er5krlv;dllerpk';cd';lc';welv';r,';
And if the first part of the Signed header was not covered in the
signature, it will still verify.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Email: chl(_at_)clw(_dot_)cs(_dot_)man(_dot_)ac(_dot_)uk Web:
http://www.cs.man.ac.uk/~chl
Voice/Fax: +44 161 437 4506 Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5