ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Core algorithm support/use, draft text v2

2006-03-10 22:24:26
I agree with both ideas, especially anything that allows the victim of the
system, "verifiers" to gain more insight, intelligence and information about
the data it is receiving to help pre-empts abuse, optimize, scale and manage
the extra activity.

And for what its worth, this is the type of "mechanical" engineering that
keeps me interested.

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com


----- Original Message -----
From: "Barry Leiba" <leiba(_at_)watson(_dot_)ibm(_dot_)com>
To: "DKIM IETF WG" <ietf-dkim(_at_)mipassoc(_dot_)org>
Sent: Friday, March 10, 2006 11:45 PM
Subject: Re: [ietf-dkim] Core algorithm support/use, draft text v2


I didn't see any follow-up to this comment by Phill, and I think it
might be useful:

I believe that the best way to do this would be to introduce a signature
counter so that the order of signing can be recovered even if a message
has its headers reordered.

This might also be a good answer to the issue of downgrade attacks
during a transition period.  If, say, we have a tag "n=", and the value
is "i,j" (this is signature record "i" of "j"), then a sender might do
this:

   DKIM-Signature: d=example.com; a=rsa-sha256; n=2,2 ...etc...
   DKIM-Signature: d=example.com; a=rsa-sha1; n=1,2 ...etc...

...and a verifier can figure out whether signatures have been reordered
or stripped out.

We have also talked about putting something in the key record to
indicate which algorithms must be used, so a verifier can see that the
signer always uses sha256, and can be suspicious if a sha256 sig isn't
there, but sha1 is.

Barry

--
Barry Leiba, Pervasive Computing Technology  
(leiba(_at_)watson(_dot_)ibm(_dot_)com)
http://www.research.ibm.com/people/l/leiba
http://www.research.ibm.com/spam
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html



_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html