My Technical opinion.
This 6.3 provision #11 makes no sense to me.
From a design standpoint, the better system is probably going to end up
looking up all domains because that will guaranteed a consistent security
check.
The only reason I see this provision exist, nothing to do with logic, but
something to satisfy backward compatibility with existing alpha code being
used. I see no logic in trying to dictate on a designer how he/she is going
to implement DKIM and SSP and that is what this provision attempts to do.
Imagine if you remove it? What is lost?
The only legitimate argument can make is that it is an OPTIMIZER, an
optimizer purely based on the presumption that a VALID 1st party signature
is always correct.
Well, as you said the inevitable will happen, when the crypto is hacked, you
now will have millions of vulnerable sites simply because they follow this
illogical provision that serves no place in a requirements document but to
satisfy alpha code implementations that no one should be basing their future
on anyway.
That's my opinion and I'll leave it at that.
Thanks
---
HLS
----- Original Message -----
From: "Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com>
To: "Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com>;
<ietf-dkim(_at_)mipassoc(_dot_)org>
Sent: Monday, October 23, 2006 2:30 PM
Subject: [ietf-dkim] Secrtion 6.3 Comments
ondraft-ietf-dkim-ssp-requirements-02.txt
6.3
11. The Protocol MUST NOT be required to be invoked if a valid first party
signature is found.
Should be:
The Protocol MUST NOT be required to be invoked if a valid first party
signature that satisfies the cryptographic criteria of the recipient is
found.
If I look at the email and find a satisfactory signature I am done. If I
don't find any signature at all *or I find only a weak signature* I need to
look at the policy.
Otherwise the requirements of 5.7 are unmet.
This requirement only starts to have real effect when we have a serious
enough compromise of SHA or RSA1024 to mean that verifiers would reject weak
signatures. I don't expect to get there until 2015 but I do expect to get
there eventually.
Also I would like to reword 12:
[PROVISIONAL] A domain holder MUST be able to publish a Practice which
enumerates the acceptable cryptographic algorithms for signatures
purportedly from that domain.
To be
12a [PROVISIONAL] A domain holder MUST be able to publish a Practice which
specifies the acceptable application of cryptographic algorithms for
signatures purportedly from that domain.
12b [PROVISIONAL] A domain holder MUST be able to publish a Practice which
specifies the application of multiple signatures with different
cryptographic algorithms for messages purportedly from that domain.
The difference here is key to the distinction between my proposal and the
existing one. A mere enumeration of the acceptable algorithms does not allow
the upgrade/downgrade attack to be effectively defeated. Merely saying 'I
support SHA-256' does not in fact strengthen the policy.
Also the term 'enumeration' expresses the assumption that the algorithms
will be listed in the policy record. I don't think they should go there. The
proper place for them is in the key record. This avoids the need to
duplicate the information and is in any case necessary to meet requirement
11 which can only be met if the key records effectively enumerate the set of
acceptable algorithms.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html