Paul Hoffman wrote:
At 8:49 AM -0400 4/30/06, Tony Hansen wrote:
Paul Hoffman wrote:
> It is up to the verifier to decide how much effort after the first
attempt it wants to do. The cost to the verifier is a doing multiple
hashes, not doing multiple signature validations.
Ummm, we don't currently run a hash of the headers, just the body.
Umm, yes we do. See section 3.7:
In hash step 2, the signer or verifier MUST pass the following to the
hash algorithm in the indicated order.
Digital signature algorithms almost always encrypt a hash of the data,
not the data itself, because the encryption and decryption steps are so
expensive.
We
currently do the signature validation based on the actual headers, the
body hash, and the dkim-signature. So doing such a verification *would*
require multiple signature validations.
A verifier using heuristics (not specified in the spec) would do the
following:
1) Look at the hash in the signature.
Paul, which hash where? There is no hash in the dkim signature for the
headers, only a hash for the body and the resulting signature.
Now, *if* there were a header hash in the signature, each of your other
steps 2-4 would be accurate. But there isn't, which is why the algorithm is:
1) calculate the body hash
2) verify the hash of the body
2a) if desired, apply heuristics to body and repeat from 1
3) verify the signature using RSA
3a) if desired, apply heuristics to headers and repeat from 3
If you're going to apply heuristics to the headers, you can't get away
from recalculating the RSA signature after each application of the
heuristics.
Tony Hansen
tony(_at_)att(_dot_)com
2) Marshall the hash as specified in dkim-base.
3) Perform the hash function. See if the result is the same as the one
from step 1.
3a) If yes, go to step 5.
3b) If no, go to step 4.
4) Modify the verifier's internal view of the message in some heuristic
way and marshall the hash. Go to step 3.
5) Check that the signature over the hash in the message verifies.
Again, steps 3a and 4 should not be in the base spec, but they should
also not be prohibited by the base spec.
It's been suggested that we adopt another tack, and use a hash of the
headers as well as a hash of the body. So the actual signature
validation would be on two hashes along with the rest of the
dkim-signature header field.
This particular suggestion hasn't received any traction as yet.
Nor should it. The header format in base-01 is fine for the cryptography
involved.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html