ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] draft-ietf-dkim-base-08 submitted

2007-01-22 05:38:42
Charles Lindsey wrote:
On Fri, 19 Jan 2007 14:36:42 -0000, Barry Leiba <leiba(_at_)watson(_dot_)ibm(_dot_)com> wrote:

Most of the changes that Eric made should be non-controversial, involving clarifications and tweaking that have helped us (the draft authors and the working group chairs) explain things to the IESG. Regardless, though, of the non-controversial nature of those changes, the chairs would like the working group to review the document fully.

Simple Canonicalization

The revised wording achieves what it was intended to achieve, namely that an empty/absent <body> result in a single <CRLF> to be hashed.

What is not clear is WHY this alternative was chosen (as opposed to letting it result in an empty <body>).

I hae repeatedly asked for a reason as to WHY this outcome is thought to be desirable, but no explanation has been forthcoming. So I ask the question again now.

WHY?

Note, this is not (yet) an objection to the draft - just a request for explanation.

IMO, I think it was obvious, but I'll take a shot.

When the l= tag is specifically set to a zero value (e.g., l=0), per DKIM-BASE specification this means there is no hashing of the body, regardless of size. As a consequence, technically, the body can be altered and passed on.

When the l= tag is not zero, this means the body was hashed, including the possibility of the l=2 condition where there was only two bytes hashed which MAY OR MAYBE be <CRLF> bytes.

So you have three conditions:

  l=0    No Body hashing (original body is not protected)
  l=2    May or may not be empty (could be 2 non CRLF bytes)
  l>2    Not an empty message, contains at least 1 byte.

So why would one hash a L=2 condition?

In order to distinguish between a hashing condition (l is not zero) and a non-hashing condition (l is zero) and the special case where the body is actually deemed SIMPLE c14n "empty", it might be desirable to hash the SIMPLE c14n "empty" body to simply indicate that the *original message body* was indeed EMPTY and not a case were the BODY was altered to a zero size.

Example:

Lets suppose I signed all my mail headers only, but not the body. I therefore have a L=0 tag in the DKIM-Signature. bh= is not defined.

Why I would I do this is out of scope, but of course, it makes our message insecure and vulnerable to replay exploitations where the body was altered and not the original. Nonetheless, the specs does allow for a non-hashing body (l=0) provision.

We soon discover this is not a good idea and begin to hash the body.

Inevitably, we will come across an original message where the body is reduced to a SIMPLE c14n "empty" message.

We can't use a L=0 concept because that opens the door for the above body altering exploitation.

So we hash the SIMPLE c14n empty message with the <crlf> l=2 bytes to indicate that the message was indeed "empty" and not some malicious body altered message if l=0 was allowed to be used to indicate an "empty" message.

Hope that explains it.


---
HLS

_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>