ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] RFC4871bis - whether to drop -- h: Acceptable hash algorithms

2009-06-08 06:22:35
-----Original Message-----
From: Douglas Otis [mailto:dotis(_at_)mail-abuse(_dot_)org]

It seems suitable to either reject or annotate a stern warning, those
messages where the domain refutes the algorithm claimed in the DKIM
signature.

Doug,

I'm still not convinced, but you have me thinking about it.

You're claiming that an attacker might craft a message claiming to use a hash 
called something like MD6, and the absence of "h=md6" in the corresponding key 
named by "d=" and "s=" in the signature should cause a rejection or an 
appropriate annotation.  But that would presuppose the "a=" in the signature 
contains something like "rsa-md6" and, further, that the verifier knows what 
that means.  Otherwise, wouldn't the verifier in that case just kick the 
signature out claiming an unknown signing algorithm?

Given that there are currently only two possible values for "a=" in a 
signature, the only actual attack vector here is an "rsa-sha1" signature from a 
site that claims "h=sha256" or vice-versa.

Is that still something about which we should be concerned?

-MSK

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html