ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] detecting header mutations after signing

2010-10-15 16:45:40
  On 10/15/10 8:40 AM, Mark Delany wrote:
h=from:from:subject:subject:to:to:cc:cc:mime-version:mime-version:list-id:list-id?
Yes, it does.  The only question is to devise normative statements
correctly, e.g. MUST duplicate "From", SHOULD duplicate the rest.

This is _not_ a kludge.  It is how DKIM signing works (Section 5.4).

Are we worried about wasting 100~200 bytes per signature?  (I get ~4Kb
headers nowadays, so that is about 3% of it.)  Introducing an
abbreviation --e.g. an h2 tag-- is considerably clearer from an
algorithm developer's POV.
Well, if you want to introduce semantic changes why not just change
the meaning of h=from:to: to be semantically identical to
h=from:from:to:to:

Old verifiers still work as well as they do today, new verifiers work
better and virtually all existing signers still work (excepting those
that sign a subset of legitimately repeating headers - which must be
rare).

In either cases, the implementation changes are about the same, but
the spec is simpler.
Agreed.  But use of the h=from:from prevents one mode of exploitation, 
because this requirement until now had not been made explicit.

-Doug
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>