Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> writes:
On Sat, 2006-04-01 at 21:56 -0800, Dave Crocker wrote:
Barry Leiba wrote:
And I'd like to get us to close on two other discrete parts:
1. Whether we want to have a mechanism to let the signature survive
the reordering of multiple sig headers or not.
...
2. Whether we want to be able to detect the removal of a signature
header (as perhaps in the case of a "stronger" one and leaving a
My question for each is why?
To do either of these requires additional mechanism.
Yes for 2. Perhaps a simple mechanism added optionally.
So the question is what benefit will accrue... and why that benefit
is essential to a task of the type DKIM is intended to perform?
Transitioning algorithms in signed email may take long periods of time.
When there are exploits possible with a prior algorithm being phased-
out, until it is possible to ensure acceptance with just the newer
convention, including both conventions will be required. This period
could span a significant amount of time, and depend upon the motivation
of all verifiers.
Not have a mechanism to detect when the stronger signature is missing
means even when the verifier does support a newer convention, the
exploit remains possible, even for those verifiers that care about the
problem. Selectively sending or verifying adds a greater amount of
overhead.
Can you explain what "the exploit" means in this context?
I understand that technically you're talking about stripping out
the stronger signature, but under what set of circumstances do you
believe that this is useful as an attack?
-Ekr
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html