Deployment Scenario 7: Cryptographic Upgrade and Downgrade Attacks
In the case that a signer advertises key records for multiple
signature algorithms this may allow an attacker to circumvent an
insufficiently expressive signature policy.
Example:
Legitimate sender advertises key records A, B. Record A describes a
signature key for a widely supported signature algorithm. Record B
describes a signature key for a signature algorithm that is not
generally supported. The senders signature policy says 'I always sign
every message'. The sender always signs messages with algorithm A
(whether algorithm B is used by the legitimate sender as an additional
algorithm or not does not affect the success of the attack).
Color me confused. I thought we agreed long ago that downgrade attacks were
not an issue for the problem DKIM addresses.
In general, there are myriad ways to break a signed message, to render the
signature invalid. We have chosen not to attempt to prevent breakage.
More basically, we are moving quickly into the morass of requiring SSP lookups
for signed messages, rather than limiting SSP for use with unsigned messages.
Besides the technical hassle of adding overhead, this also means that current
potential adopters of DKIM will see DKIM -base use as remaining unstable. And
I hope folks do not understimate the danger from this, because it has already
been a point of discussion in industry meetings among potential adopters.
There is a very simple distinction we can make:
If a message is signed, then the signature (and associated key
information) speaks for itself. If the organization has constraints on who is
allowed to sign a message or what message they are allowed to sign, or what
algorithms they are supposed to use, then that is a matter for internal
management within the organization. It is not the job of a public standard to
recruit a recipient into enforcing sender-side internal administrative
policies. If an organization chooses to publish support for a weak algorithm,
again, that is their problem, not the recipient's.
Hence, SSP should be used for receipt of unsigned messages. Statements
like "I sign everything" and "I send no mail" are examples.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html