ietf-dkim
[Top] [All Lists]

RE: [ietf-dkim] The key record upgrade attack

2006-08-04 07:43:37

From: Stephen Farrell 
[mailto:stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie] 

My issue with this is that I don't see why this is much different
from:

Everyone supports rsa-sha256

Alice publishes:

1. The policy statement 'I always sign'
2. A key record for algorithm rsa-sha256

Mallet can produce a forgery of a message by Alice that is 
100% certain to be considered in compliance with policy - the 
signature value just won't verify.

The difference is that a signature that does not verify is treated as if it was 
not present and thus the message is not in compliance with policy.

Verifiers must be able to treat the following conditions differently:
   "There is a signature here that I cannot verify"
   "There is a signature here that fails the verification process I support"

What the attack does is to convert the policy Alice intends to express "I 
always provide a signature that you can validate" into "I always provide a 
signature but you may not be able to check it". That is a crucial difference.


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html