ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Core algorithm support/use, draft text v2

2006-02-28 00:01:49
from [Jim Fenton] [Permanent Link] 
Eric Rescorla wrote:

Jim Fenton <fenton(_at_)cisco(_dot_)com> writes:
  
  

The "figuring out" of which algorithm to use is the central problem
here.  There just isn't a good way to do it, which is why my text
suggested the use of two signatures.  The verifier only needs to verify
one of them, and can decide which hash algorithm to use for the
verification early in the receipt of the message.  I'm less concerned
with burdening signers than verifiers.
    


Certainly, I agree that when transitioning from algorithm A
to algorithm B you need to temporarily sign with both A and B.

The question is to what extent we are transitioning from A
to B. E.g., if we do anything to break existing signatures,
then there's less point in running SHA-1 in parallel since
the signatures won't work anyway and we can just tell people
to deploy SHA-256 verification with the new canonicalization
or whatever.
  

I can't think of any reason that we would break existing signatures
without some observable change in the DKIM-Signature header field. 
Either a change in some parameter (such as the change in
canonicalization algorithm names between allman-00 and allman-01) or an
increment in the version number.  I consider such a change equivalent to
a change in the hash algorithm from a compatibility standpoint:  we
could run the old and new versions in parallel as separate signatures.

That said, why are you less concerned with signers than verifiers?
RSA signatures are much faster to verify than generate (about 20x)
so even messages destined for a fair number of people tend to
burden the signer more. And, of course, the verification load is
likely to be more spread out....
  

A single message destined for a fair number of people would only be
signed once, since we aren't signing the envelope addresses.  The reason
I'm more sensitive to verification load is the potential make-work
attack from an attacker who generates valid-looking but invalid
signatures (which are effectively free in terms of computation).  This
is described in more detail in section 4.1.6 of the threat document.

-Jim


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Threats Issue - Large DNS records make servers targets for spoofed source amplification attacks abuse, Jim Fenton
Next by Date:  Re: [ietf-dkim] Threats Issue - Large DNS records make servers targets for spoofed source amplification attacks abuse, stephen . farrell
Previous by Thread:  Re: [ietf-dkim] Core algorithm support/use, draft text v2, Eric Rescorla
Next by Thread:  Re: [ietf-dkim] Core algorithm support/use, draft text v2, Eric Rescorla
Indexes:  [Date] [Thread] [Top] [All Lists]