ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Are verifiers expected to query SSP on a successfulverify?

2006-08-02 11:35:06


Hallam-Baker, Phillip wrote:
From: Stephen Farrell [mailto:stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie]

Why? Surely all that can happen is stripping of the stronger sig and we already decided that that wasn't a bother for base, so why is it a problem now? (Maybe I mis-remember but I think we decided it was a non-problem, not that it was a problem to punt to SSP.)

Alice decides to sign with ZSA which has just been approved, few people support 
ZSA so she also signs with RSA2048

Bob's mail gateway does not support ZSA.

Mallet strips out the RSA2048 signature, modifies the message and leaves in the 
ZSA signature.


Bob can see that there is a signature which points to a valid key record but 
has no way to verify it and no way to know that it does not comply with Alice's 
signature policy.

So what? What will Bob do differently when his DKIM code sees that
Alice sometimes/always signs with ZSA and/or RSA2048? Complain?
He'll probably do that anyway knowing Bob:-)

Mallet's not getting much out of it either - maybe he'd be better
off flipping a plaintext bit really since then Bob'd do more work.

I don't see it. (But we can stop now and take it up again after
Mike reqs-00 is out.)

Stephen.


_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html