John doesn't seem to have sent this to the list (maybe because a sent
separate copies to him and to the list).
On Tue, 27 Feb 2007 07:30:03 -0000, John L <johnl(_at_)iecc(_dot_)com> wrote:
So you consult the SSP for the signing domain to see whether the
combination of dkim-2, rsa, sha-foo, complicated, strained and
dns/funny could have come from that domain, and if so whether there
should have been a further signature which you ought to check. And then
you have sufficient information to decide whether it had failed because
your Magic software was inadequate, or because it was a bogus signature
from a spammer.
You know, spammers can fetch SSP records just like you can and can use
them to concoct bogus signatures.
Could you do me a favor and sketch out in pseudocode the algorithm to
distinguish an actual signature made with a signature algorithm you
can't check from a fake signature applied by a spammer who looked at the
SSP and made up a signature identical in all regards to a real one
except that the unverifiable signature bits are random?
You can't tell that, but you don't need to.
If the SSP says "I always sign with A and B", and the spammer reads that,
then he knows he has to produce fake signatures for both A and B. So if he
only provides a fake B, then you know he is spamming.
OTOH, if he provides a fake A and a fake B, then even though you can't
check B, you can still detect that the fake A does not verify (because you
DO know how to check A).
While you're at it, how about the same thing to distinguish a real
message signed with a body hash you can't check from a spam that took
the headers and signature from a real message and a new spam body.
In exactly the same way. If the signer only uses an algorithm (including
its hash) that you cannot verify, then you are stuck (and the signer was
stupid for signing only with a not-widely-known hash). But if the signer
went to the trouble of signing twice (using both older and new hashes),
and published that fact in his SSP, then you are safe if you manage to
verify using one of them.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html