On Apr 5, 2006, at 4:49 AM, Arvel Hathcock wrote:
The validator either considers a signature "strong" enough or they
don't. That choice is the validator's and it does not matter in
the least whether the signer agrees.
Correct! That is my view on the matter also.
A signer may need to add two signatures at differing strengths when
responding to an exploitation risk while also ensuring their
continued general acceptance when few verifiers have adopted a newer
algorithm.
- A verifier is _expected_ to accept various levels of signature
strength.
- A verifier _may_ consider some messages "unsigned" when the
strength of the signature is deemed by verifier to be too weak.
- When a significant portion of messages are signed at some level, it
will be problematic to dismiss these signatures.
- A widely used signature strength may be deemed unsatisfactory by a
signer who responds by offering _two_ signatures.
- Until either the verifier is able to exclude the signature with the
weaker algorithm, or the signer is able to apply only a single
signature, the stronger of the two signatures will not offer added
protection.
The loss of protection is due to a lack of signer communication to
the verifier. Without causing a sizable disruption, this missing
information will create perhaps a sizable period of exposure to an
exploit well beyond the control of the signer. The general design
should minimize interchanges needed to communicate a desired strength
offered by the signer. This communication will prevent a "down-
grade" exploitation from being successful. This information can be
carried in a number of ways.
This information can be carried within the key of the weaker
signature. An "alternative algorithm" field could be added to
indicate this signature is _always_ accompanied by a signature based
on this alternative algorithm. A primary/secondary flag does this as
well, and permits a general matrix of options while consuming a
single bit of information.
Wrapping a stronger signature with a weaker signature assumes there
is only a partial failure of the weaker algorithm.
Not all mail is the same. Resources expended to compromise some
email may be focused and affect only a small percentage of the
signers. DKIM should ensure this targeted minority of critical email
signers can quickly respond, and that verifier are not susceptible to
a "down-grade" exploit.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html