Dave Crocker wrote:
Folks,
If you can't rank algorithms, is there any meaningful concept of a
"downgrade attack"?
I'm sort of wondering though if Mark's problem here might be just as
easily solved by having a "current"/"next" kind of routine. That is,
only allow two in play at any one time, ...
I keep coming back to the very limited goal of DKIM and wondering
whether the concern about a downgrade attack isn't just a little too
esoteric for that goal.
Besides that presumably, having multiple signature versions, as
discussed here, is only for transition times.
Do we really need to engineer such fine-grained mechanisms for
protection against attacks during limited windows of mis-opportunity,
for a mechanism that is only trying to aid in determining whether to
deliver a message?
I think that that's a fair question.
I believe we do need to have signature algorithm agility of some sort
for the reasons to do with hash weaknesses and also since there will
always be >1 favorite algorithm in a big world.
This scheme (or similar) may be a part of the way to provide that
agility. For now though, I don't understand well enough whether we
should worry about downgrade attacks when signing more than once.
Stephen.
_______________________________________________
NOTE WELL: This list operates according to
http://dkim.org/ietf-list-rules.html