ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Proposed fingerprint tag description

2006-04-12 14:17:15

On Apr 12, 2006, at 12:56 PM, Murray S. Kucherawy wrote:

If the "f=" tag is absent, a verifier can infer its value by using the first four bytes of the actual (i.e. base64-decoded) "bh" tag's value when describing its results to receivers. However, since the base64-decoded version of the "bh" tag is not easily visible upon simple header inspection, signers SHOULD add this tag for clarity.

What happens when these values are not unique? Would these values increase in size until they are unique? The "bh" tag could easily be the same for multiple signatures, which would make this a poor choice.

Verification results based upon an added header might be spoofed when an MTAs is not configured to remove them. In addition, these headers will not be reliably present until universally adopted, perhaps many years from now. While the header might be removed normally, there could also be backup paths where the header is once again not removed.

Adding another signature at the MDA can include an extension that lists verified signatures within the signature header itself, as that would be its sole purpose. This approach can dispel concerns about who is being trusted when accepting second-hand verification results. If a verification header is bound to a signature, it could be assumed to have been added by the MDA. Any message being re- submitted should remove both the verification header _and_ the accompanying signature.

-Doug
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html