-----Original Message-----
From: Stephen Farrell
[mailto:stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie]
Sent: Tuesday, November 14, 2006 9:10 PM
To: Hallam-Baker, Phillip
Cc: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] Policy decision tree outcomes
Hi Phill,
Thanks for taking the time to respond like this. I th
Hallam-Baker, Phillip wrote:
Before looking at the issue of whether downgrade attacks
are important let us look at the possible outcomes of a
policy mechanism.
LEMMA-1: The objective of policy is to allow a verifier to draw
conclusions from the absence of satisfactory authentication
PROOF:
AXIOM-1: The objective of policy is to influence the verifier
AXIOM-2: A verifier only looks at the policy record if
it fails to find satisfactory authentication.
THEREFORE: LEMMA-1 follows from the axioms.
There is no point in having a policy unless the verifier
executes different code paths as a result. The question then
is the number of code paths.
A verifier will only look at a policy record in the following cases:
A: No signature is present
A1: Because there never was a signature
A2: Because the message is fake
A3: Because the message was modified after it was sent
B: A signature is present with a signature type that the
verifier cannot verify
B1: A genuine signature
B2: A fake signature
C: An acceptable signature is present that failed verification
C1: A genuine signature that failed because the message
was modified
C2: A fake signature
D: An unacceptable signature is present that assed verification
D1: A genuine signature
D2: A fake signature added by a party that has
compromised the algorithm
LEMMA-2: There is no value in distinguishing between any of
the cases
A, B, C, D
PROOF
AXIOM-3A: It is not possible for the verifier to
distinguish between
case A1, A2 and A3
THEREFORE: States A1, A2, A3 MUST result in the same outcome
[Similar proof that B1=B2, C1-c2, D1=D2 omitted]
AXIOM-4: There is no value in distinguishing between
states that
can be reached by an attacker.
AXIOM-5: Stastes A2, B2, C2, D2 can be reached by an
attacker [by
definition]
THEREFORE: LEMMA-2 follows.
In other words all types of failed signature have to be
treated IDENTICALLY. That is a verifier that is policy aware
cannot consider the reason that a message is not compliant
with policy. All forms of policy violation are equivalent.
You didn't actually show that or make that argument. You did
make an argument that A1,A2 and A3 aren't distinguishable.
Same for the B's, C's and D's but you never said that A2 is
distinct from C1, and they are distinguishable at the
verifier. So your LEMMA-2 falls IMO, and apparently all that follows,
S.