ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] ISSUE: 4871bis-02 - Section 8.14 comments

2010-10-14 12:28:24
On 14/Oct/10 00:22, Jim Fenton wrote:
Insert prior to current section 6.1.2 (which becomes 6.1.3, etc.):

6.1.1 Validate the Message Syntax

The verifier SHOULD meticulously validate the format of the message
being verified against the requirements specified in [RFC5322],
[RFC2045], and [RFC2047].  In particular, limitations on the number of
occurrences of particular header fields specified in [RFC5322] section
3.6 SHOULD be verified. Messages found to be in violation of these
checks MUST return a PERMFAIL (message syntax error) verification result.

-1

If we go for changing the protocol in order to avoid the exploit, we 
should explicitly enumerate the header fields whose duplication 
verifiers MUST check.  "SHOULD meticulously validate" + "MUST return 
PERMFAIL" make for a fuzzy protocol.

The spec should also state whether duplicated fields invalidate a 
signature even when they are duly signed.  Finally, it does make sense 
to duplicate fields in h= as stated in -02's 8.14, because that's the 
only way to guard against the exploit in case the destination's 
verifier is coded according to the previous protocol version.

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>