Paul Hoffman wrote:
What Phill describes is not a downgrade attack: it is an attack based on
algorithm agility. If we allow multiple algorthims, and not all the
1. If the signer publishes support for multiple algorithms, then the publisher
supports those algorithms. If they made poor choices, that's their problem.
2. If the publication of multiple algorithm support is part of a transition,
then, yes, there is a window during which some recipients will not support the
new one, or might be unhappy with signatures by the old one, or whatever.
3. If a recipient cannot validate a signature, then the message is to be
treated as unsigned. -base is quite clear about this point. Since there are
myriad reasons a signature might validate, the case being presented here does
not seem anything other than one more.
Doing something that causes a signature to fail is something I class as a
downgrade.
Since we have already dealt with the 'failed validation' case extensively, I'm
still missing what is interesting here.
I agree that this is an example of an SSP lookup for signed messages. I
Then we have a very basic problem.
hope it does not mean that we are opening the door for other purposes.
It is also not requiring an SSP lookup; the only time you care if the
message is signed with an algorithm you don't understand is if you know
that they sign all messages. Therefore, you already did the SSP lookup
to find out that information. The algorithm list would come along with
the "I sign everything" information.
I'll translate this into: The SSP lookup would be after validation failure,
because at that point, the message is to be treated as unsigned, and that's
when an SSP lookup is to be done.
Besides the technical hassle of adding overhead, this also means that
current potential adopters of DKIM will see DKIM -base use as
remaining unstable.
Only if you tell them that it is. SSP does not destabilize dkim-base.
If it requires lookup for a signed message -- as in, during validation or
after validation succeeds -- then yes it does.
Hence, SSP should be used for receipt of unsigned messages.
Statements like "I sign everything" and "I send no mail" are examples.
...and so is "I sign everything with Algorithm A".
By its nature, that implies a lookup for a signed message, including one that
validates. Bad idea.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html