SM wrote:
Hi Hector,
At 15:23 13-05-2011, Hector Santos wrote:
I am wondering if anyone else can confirm BODY HASH errors with the
originating author domain DKIM signature mail submitted to the
IETF-SMTP fora.
Yes. It may be an extra line between the message headers and the body.
Visually comparing the sent message versus the one echoed back by the
list, that seems to be the case. Checking into this, I see that I
discovered this issue back in 2006 and wrote this I-D proposing a new
C14N method called STRIP.
http://tools.ietf.org/html/draft-santos-dkim-strip-00
Abstract
The DKIM base protocol has offers two digital signature
canonicalization (cl4n) methods called "relaxed" and "simple" with
low reliability and survivability during in-transient operations.
This proposal describes a new STRIP canonicalization algorithm and
method to increase the reliability and survivability of the digital
signature. In additional, the proposal describe new original body
hashing requirements to help secure STRIP c14n security concerns
found in a similar but deprecated NOFWS c14n method.
From the 1.0 introduction:
....
This documents introduces the new STRIP c14n which is similar to
RELAXED but with the added logic to remove all CR and LF characters
from the hashing engine. The STRIP c14n is very similar to the NOFWS
c14n method used by Yahoo's experimental DomainKeys protocol and was
once considered for usage for the DKIM protocol. However, since it
was determined the NOFWS c14n exhibited some replay security threats,
it is expected for STRIP c14n to also inherent the same security
concerns.
The security concern stated in the final sentence were addressed in
this proposal.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html