ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ietf-dkim] Base-02 //Deprecated Signature Version & New List

2006-06-22 07:21:31
from [Douglas Otis] [Permanent Link] 
Preventing an exploit during a transition.

Described in the draft and adds the newlist:
  draft-otis-dkim-security-concerns-00.txt
   3.  Deprecated Versions

http://tinyurl.com/o5wh3

,----
| 4. Semantics of Multiple Signatures
| ...
| When evaluating a message with multiple signatures,
| a receiver should evaluate signatures independently
| and on their own merits.  For example, a receiver
| that by policy chooses not to accept signatures
| with deprecated crypto algorithms should consider
| such signatures invalid.  As with messages with a
| single signature, receivers are at liberty to use
| the presence of valid signatures as an input to
| local policy; likewise, the interpretation of
| multiple valid signatures in combination is a local
| policy decision of the receiver.
'____

Change to:
: When evaluating a message with multiple signatures,
: a receiver should evaluate signatures by different
: signing domains independently.  A receiver,
: that by policy considers a crypto algorithm or
: service to be obsolete, should ignore the signature
: and consider it invalid.  Multiple signatures by the
: same domain must include at least one signature
: version that has not been marked as deprecated.
: When a non-deprecated version of a signature from the
: same domain is supported, this signature should be
: used in preference to a signature marked as
: deprecated.  When an unsupported signature is found
: from a domain where the only other signature is
: marked as deprecated, the version details listed
: within the 'n=' parameter of the deprecated
: key must match the values found within the
: unsupported signature, otherwise the deprecated
: signature should be ignored. As with messages with a
: single signature, receivers are at liberty to use the
: presence of valid signatures as an input to local
: policy; likewise, the interpretation of multiple valid
: signatures in combination is a local policy decision
: of the receiver.

,---
|3.5 The DKIM-Signature header field
| ...S
|    v=
|        Version (MUST be included). This tag defines
|        the version of this specification that applies
|        to the signature record. It MUST have the
|        value 0.2.
|
|      ABNF:
|
|         sig-v-tag   = %x76 [FWS] "=" [FWS] "0.2"
'___

Change to:
:    v=
:        Version (MUST be included). This tag defines
:        the version of this specification that applies
:        to the signature record. It MUST have the
:        numeric value 0.2.  The signing domain may
:        mark the signature as deprecated by appending
:        a "d" character to the version value.
:
:      ABNF:
:
:         dkim-sv      = "0.2"
:         sig-v-tag   = %x76 [FWS] "=" [FWS] dkim-sv ["d"]

,---
| 3.6.1 Textual Representation
|...
| v=
|     Version of the DKIM key record (plain-text;
|     RECOMMENDED, default is "DKIM1"). If specified,
|     this tag MUST be set to "DKIM1" (without the quotes).
|     This tag MUST be the first tag in the response.
|     Responses beginning with a "v=" tag with any other
|     value MUST be discarded.
|
|   ABNF:
|
|       key-v-tag    = %x76 [FWS] "=" [FWS] "DKIM1"
|...
| n=  Notes that might be of interest to a human (quoted-printable;
|     OPTIONAL, default is empty). No interpretation is made by any
|     program.  This tag should be used sparingly in any key server
|     mechanism that has space limitations (notably DNS).
|
|     ABNF:
|
|  key-n-tag    = %x6e [FWS] "=" [FWS] qp-section
'___

Change to:
: v=
:     Version of the DKIM key record (plain-text;
:     RECOMMENDED, default is "DKIM1"). If specified,
:     this tag MUST be set to "DKIM1" (without the quotes).
:     This tag MUST be the first tag in the response.
:     Responses beginning with a "v=" tag with any other
:     numeric value MUST be discarded.  The signing domain
:     may mark the key as deprecated by appending
:     a "d" character to the version value.  When the
:     DKIM-Signature version is marked as deprecated,
:     the DKIM-Key version MUST BE included and marked as
:     deprecated.
:
:    ABNF:
:
:      dkim-kv      = "1"
:      key-v-tag    = %x76 [FWS] "=" [FWS] "DKIM" dkim-kv ["d"]
:
:     INFORMATIVE IMPLEMENTATION NOTE:  The DKIM Signature and
:     Key versions will both have the numeric value "1" in the
:     final draft.
:...
: n=  Notes that might be of interest to a human and, when
:     version for the key is marked "deprecated", the
:     VAQ values of the concurrent non-deprecated
:     signature are prepended (quoted-printable; OPTIONAL,
:     default is empty).  Except for the version details, no
:     interpretation is made by any program.  This tag should
:     be used sparingly in any key server mechanism that has
:     space limitations (notably DNS).
:
:     ABNF:
:
:  new-v        = <non-deprecated sig 'v=' value>
:  new-a        = <non-deprecated sig 'a=' value>
:  new-q        = <non-deprecated sig 'q=' value>
:  new-list     = "|" new-v "|" new-a "|" new-q "|"
:  key-n-tag    = %x6e [FWS] "=" [FWS] [new-list] qp-section
:







_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ietf-dkim] [Fwd: DKIM - Requested sessions have been scheduled for IETF 66], Stephen Farrell
Next by Date:  Re: [ietf-dkim] Use of "sender" in -base, Eric Allman
Previous by Thread:  [ietf-dkim] [Fwd: DKIM - Requested sessions have been scheduled for IETF 66], Stephen Farrell
Next by Thread:  Re: [ietf-dkim] Base-02 //Deprecated Signature Version & New List, Eric Allman
Indexes:  [Date] [Thread] [Top] [All Lists]