ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Core algorithm support/use, draft text v2

2006-03-10 21:55:40
I didn't see any follow-up to this comment by Phill, and I think it might be useful:

I believe that the best way to do this would be to introduce a signature
counter so that the order of signing can be recovered even if a message
has its headers reordered.

This might also be a good answer to the issue of downgrade attacks during a transition period. If, say, we have a tag "n=", and the value is "i,j" (this is signature record "i" of "j"), then a sender might do this:

  DKIM-Signature: d=example.com; a=rsa-sha256; n=2,2 ...etc...
  DKIM-Signature: d=example.com; a=rsa-sha1; n=1,2 ...etc...

...and a verifier can figure out whether signatures have been reordered or stripped out.

We have also talked about putting something in the key record to indicate which algorithms must be used, so a verifier can see that the signer always uses sha256, and can be suspicious if a sha256 sig isn't there, but sha1 is.

Barry

--
Barry Leiba, Pervasive Computing Technology  
(leiba(_at_)watson(_dot_)ibm(_dot_)com)
http://www.research.ibm.com/people/l/leiba
http://www.research.ibm.com/spam
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html