I didn't see any follow-up to this comment by Phill, and I think it
might be useful:
I believe that the best way to do this would be to introduce a signature
counter so that the order of signing can be recovered even if a message
has its headers reordered.
This might also be a good answer to the issue of downgrade attacks
during a transition period. If, say, we have a tag "n=", and the value
is "i,j" (this is signature record "i" of "j"), then a sender might do this:
DKIM-Signature: d=example.com; a=rsa-sha256; n=2,2 ...etc...
DKIM-Signature: d=example.com; a=rsa-sha1; n=1,2 ...etc...
...and a verifier can figure out whether signatures have been reordered
or stripped out.
We have also talked about putting something in the key record to
indicate which algorithms must be used, so a verifier can see that the
signer always uses sha256, and can be suspicious if a sha256 sig isn't
there, but sha1 is.
Barry
--
Barry Leiba, Pervasive Computing Technology
(leiba(_at_)watson(_dot_)ibm(_dot_)com)
http://www.research.ibm.com/people/l/leiba
http://www.research.ibm.com/spam
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html