On Mar 31, 2006, at 2:18 PM, Arvel Hathcock wrote:
The goal is to ensure when there are two signatures added to the
message, an attacker does not toss out the stronger signature in
order to exploit the weaker signature added within a transition
period.
I think that we should leave this to the verifier. If the verifier
is uncomfortable accepting a "weaker" signature then by all means
let the verifier stop doing so. Is there a problem with that
approach that I can't see?
The sender may wish to minimize the number of messages lost or
refused due older non-compliant verifiers, and therefore includes two
signatures within the message. One signature is stronger, repairing
a weakness found when using the prior convention. To ensure a down
grade attack does not occur when the verifier _can_ handle the
stronger convention, primary/secondary role options would be used.
(Note this is an option that can be used at a later time and simply
default to a primary role, but one that should be understood by the
verifiers.) The simple rule used by the verifier would be to refuse
messages that only offer a signature marked as playing a secondary
role. This can be done only at the key, but should also be done at
the signature to minimize DNS transactions and to allow the sender to
decide what is the preferred convention. The restrictions with
respect to what is acceptable would also be provided in the algorithm/
role of the referenced key. This is extremely simple, but solid.
Primary and secondary signatures do not impact current verifiers.
Older verifiers (Allman 01) will ignore the role option seen in the
signature and key.
Simple, but effective and a very small change when following the w=
Ss Mm and Dd roles, as shown in slides. : )
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html