Hi again. At the f2f, I volunteered to write up the threat analysis
for when a hash collision attack could be used. This text might be in
its own section, or could possibly be woven into 4.1.14.
Hash collision attacks in message signing systems involve the same
person creating two different messages that have the same hash value,
where only one of the two messages would normally be signed. The
attack is based on the second message inheriting the signature of the
first. For DKIM, this means that a sender might create a "good"
message and a "bad" message, where some filter at the signing party's
site would sign the good message but not the bad message. The
attacker gets the good message signed, and then incorporates that
signature in the bad message. This scenario is not common, but could
happen, for example, at a site that does content analysis on messages
before signing them.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html