Tony Hansen wrote:
This paragraph should be ignored completely. It should have been removed.
Should the CRLF be there or not between the canonicalized headers and
the DKIM-Signature? I expect it to be there, but this paragraph is the
only place that says it should be there.
No, it should not. This says exactly how to do it:
In hash step 2, the signer or verifier MUST pass the following to the
hash algorithm in the indicated order.
1. The header fields specified by the "h=" tag, in the order
specified in that tag, and canonicalized using the header
canonicalization algorithm specified in the "c=" tag. Each
header field must be terminated with a single CRLF.
2. The "DKIM-Signature" header field that exists (verifying) or will
be inserted (signing) in the message, with the value of the "b="
tag deleted (i.e., treated as the empty string), canonicalized
using the header canonicalization algorithm specified in the "c="
tag, and without a trailing CRLF.
There's no intervening CRLF.
The signature in -00 was generated from "header CRLF body CRLF
dkim-signature". Now I expect it to be generated from "header CRLF
dkim-signature". That is, the "body CRLF" disappears, but not *both* CRLFs.
Am I wrong?
My understanding after talking to Eric:
The body hash is of the body only; no extra CRLFs and no signature.
The header hash contains the headers to be signed (if signing) or the headers
replayed according to the "h=" tag value (if verifying), followed by the
signature being evaluated (if verifying) or generated (if signing) minus the
"b=" value. Again, no extra CRLFs.
_______________________________________________
dkim-dev mailing list
dkim-dev(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-dev