At 8:49 AM -0400 4/30/06, Tony Hansen wrote:
Paul Hoffman wrote:
> It is up to the verifier to decide how much effort after the first
attempt it wants to do. The cost to the verifier is a doing multiple
hashes, not doing multiple signature validations.
Ummm, we don't currently run a hash of the headers, just the body.
Umm, yes we do. See section 3.7:
In hash step 2, the signer or verifier MUST pass the following to the
hash algorithm in the indicated order.
Digital signature algorithms almost always encrypt a hash of the
data, not the data itself, because the encryption and decryption
steps are so expensive.
We
currently do the signature validation based on the actual headers, the
body hash, and the dkim-signature. So doing such a verification *would*
require multiple signature validations.
A verifier using heuristics (not specified in the spec) would do the following:
1) Look at the hash in the signature.
2) Marshall the hash as specified in dkim-base.
3) Perform the hash function. See if the result is the same as the
one from step 1.
3a) If yes, go to step 5.
3b) If no, go to step 4.
4) Modify the verifier's internal view of the message in some
heuristic way and marshall the hash. Go to step 3.
5) Check that the signature over the hash in the message verifies.
Again, steps 3a and 4 should not be in the base spec, but they should
also not be prohibited by the base spec.
It's been suggested that we adopt another tack, and use a hash of the
headers as well as a hash of the body. So the actual signature
validation would be on two hashes along with the rest of the
dkim-signature header field.
This particular suggestion hasn't received any traction as yet.
Nor should it. The header format in base-01 is fine for the
cryptography involved.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html