Here are some of the criteria which I think any RFC2822-level signature
scheme should meet.
First, it should handle multiple signatures. A recipient may quite
reasonably want to verify and or all of the addresses in the From:,
Sender, Resent-From: and/or Resent-Sender: headers.
Second, it should be resilient to the common mangling which messages may
encounter in transit -- in particular the addition of text to the end of
a mail by mailing lists, by idiotic disclaimers and by self-advertising
virus checkers.
Also, as an adjunct to the above, it should ideally survive the
stripping of MIME parts which some mailing lists perform. Signing each
MIME part separately would be useful, rather than signing the message as
a whole.
By way of example, consider the following mail:
--------------
Resent-From: Joe <engineer(_at_)company(_dot_)com>
Resent-To: Sleuth <reporter(_at_)news(_dot_)org>
Resent-Message-Id: <102(_at_)server(_dot_)company(_dot_)com>
Resent-Date: Tue, 24 Feb 2004 11:30:02 +0000
From: Fred <boss(_at_)company(_dot_)com>
Sender: Jane <secretary(_at_)company(_dot_)com>
Message-ID: <101(_at_)server(_dot_)company(_dot_)com>
To: Staff <all(_at_)company(_dot_)com>
Date: Mon, 23 Feb 2004 14:20:34 +0000
You're all going to be fired next week. Sucks to be you.
--
Fred.
This mail was checked for viruses by some company's free advert.
--------------
Each of Joe, Fred and Jane might wish to disavow their part in this
email, the recipient may be interested in verifying the signature from
each of them. A similar situation arises even with just the different
From: and Sender: encountered in most mailing list traffic. If you
receive a mail with reverse-path
'owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org' your
mail filters may well put it into this mail folder, but did it _really_
go to all the recipients of the list? And, of course, was it really sent
by the person from whom it claims to have been sent?
Now, the problem of stuff being added to the message in transit. This
doesn't seem particularly difficult to deal with. Consider the mail
above -- Fred sent only four lines of that, and the rest was added
later. So Fred's signature should _say_ so, and give a way to find those
four lines. This can be done by augmenting the real, secure hash of the
content with a simple way of finding the four lines which Fred really
wrote -- the number of lines and a cheap rolling checksum, where you can
add one line and subtract another as you move your 'window' down the
text in question to find the match.
Let us for the moment completely ignore the details of what the headers
might be called, and how we might do the _secure_ signatures. But Fred
may have added a header which identifies himself, and the signs the
content he generated:
X-Auth-1-hash-content: 4,3d58b23a,hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
You'd check his signature by looking for four lines in the text which
match that cheap checksum, then verify the stronger hash.
As the actual sender, Jane will also have added an identical signature
of her own on the content, and also signatures of the Date: and
Message-Id: headers, having canonicalised the headers by folding
whitespace and discarding comments:
X-Auth-2-hash-content: 4,3d58b23a,iiiiiiiiiiiiiiiiiiiiiiiiiiiiiii
X-Auth-2-hash-Date: jjjjjjjjjjjj
X-Auth-2-hash-Message-Id: kkkkkkkkkkkkkkk
Now when Joe resends it, he adds his own headers, including a signature
on the silly virus-scanner advert:
X-Auth-3-hash-content: 5,5c2d7823,mmmmmmmmmmmmmmmmmmmmmmmm
X-Auth-3-hash-Resent-Date: lllllllllllllllllll
X-Auth-3-hash-Message-Id: nnnnnnnnnnnnnnnnnnnnn
( maybe also resign the original Date: and Message-Id:)
Now, there is the question of how to authenticate all those separate
hashes of content and headers. Perhaps each party would add a cover-all
header with the identity of their public key, and a signature
identifying and encompassing all the signatures which are present.
By doing it like this, you get to sign different parts of the message
separately and as resilient as possible to damage in transit.
Obviously this is far from being a coherent and complete method, but
maybe there are ideas which could be useful.
--
dwmw2