Hallam-Baker, Phillip wrote:
OK how about modifying the lemma:
LEMMA-2v2 For the purposes of determining that a message is authentic there is
no value in distinguishing between failures except in the case that the mode of
failure provides an actionable probability that the result was due to a
specific cause.
So then you're backing off from:
> In other words all types of failed signature have to be
> treated IDENTICALLY. That is a verifier that is policy aware
> cannot consider the reason that a message is not compliant
> with policy. All forms of policy violation are equivalent.
Is that right?
Stephen.
PS: I think pseudo-code would be better to settle the argument here, and
if no one else does, I'll try craft some and see if there are 2 or 3
outcomes that make sense.
-----Original Message-----
From: Stephen Farrell [mailto:stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie]
Sent: Tuesday, November 14, 2006 9:10 PM
To: Hallam-Baker, Phillip
Cc: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] Policy decision tree outcomes
Hi Phill,
Thanks for taking the time to respond like this. I th
Hallam-Baker, Phillip wrote:
Before looking at the issue of whether downgrade attacks
are important let us look at the possible outcomes of a
policy mechanism.
LEMMA-1: The objective of policy is to allow a verifier to draw
conclusions from the absence of satisfactory authentication
PROOF:
AXIOM-1: The objective of policy is to influence the verifier
AXIOM-2: A verifier only looks at the policy record if
it fails to find satisfactory authentication.
THEREFORE: LEMMA-1 follows from the axioms.
There is no point in having a policy unless the verifier
executes different code paths as a result. The question then
is the number of code paths.
A verifier will only look at a policy record in the following cases:
A: No signature is present
A1: Because there never was a signature
A2: Because the message is fake
A3: Because the message was modified after it was sent
B: A signature is present with a signature type that the
verifier cannot verify
B1: A genuine signature
B2: A fake signature
C: An acceptable signature is present that failed verification
C1: A genuine signature that failed because the message
was modified
C2: A fake signature
D: An unacceptable signature is present that assed verification
D1: A genuine signature
D2: A fake signature added by a party that has
compromised the algorithm
LEMMA-2: There is no value in distinguishing between any of
the cases
A, B, C, D
PROOF
AXIOM-3A: It is not possible for the verifier to
distinguish between
case A1, A2 and A3
THEREFORE: States A1, A2, A3 MUST result in the same outcome
[Similar proof that B1=B2, C1-c2, D1=D2 omitted]
AXIOM-4: There is no value in distinguishing between
states that
can be reached by an attacker.
AXIOM-5: Stastes A2, B2, C2, D2 can be reached by an
attacker [by
definition]
THEREFORE: LEMMA-2 follows.
In other words all types of failed signature have to be
treated IDENTICALLY. That is a verifier that is policy aware
cannot consider the reason that a message is not compliant
with policy. All forms of policy violation are equivalent.
You didn't actually show that or make that argument. You did
make an argument that A1,A2 and A3 aren't distinguishable.
Same for the B's, C's and D's but you never said that A2 is
distinct from C1, and they are distinguishable at the
verifier. So your LEMMA-2 falls IMO, and apparently all that follows,
S.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html