At 06:38 AM 10/31/2004 +0000, John Levine wrote:
[ talking about IIM ]
This mailing list is easy; all it does is add an extra CRLF before
the body which the "nofws" canonicalization takes care of. But IIM
also works for the ASRG list that adds a footer and adds [ASRG] to
the subject line.
Can you explain (or tell where to find an explanation) of what a
recipient is supposed to do when the copied header doesn't match the
actual header? Is the intention to use some sort of distance function
to decide whether the two headers are close enough, just ignore the
differences, or what?
It's really up to the verifier. It could:
1. Copy the copied header to the "actual" header, thereby losing any
modification that was done.
2. Consider the signature to be invalid if the copied header is different from
the actual header.
3. Ignore the fact that the headers are different, in effect disregarding the
fact that a signed header is available.
4. If the verifier happens to be the MUA, highlight the differences (different
color?), display both headers, or display a warning that the header has been
modified. This could also be done by an MUA if a verifying MTA had verified
the message but not changed anything (#3).
The IIM specification is silent on this because it's really a policy decision
on the part of the recipient what they want to do (although perhaps this
discussion would be a useful guide). Personally, I think #1 (if the verifier
is not the MUA) or #4 (if it is) are the most useful.
I would be rather concerned that a bad guy could take a short valid
message, add new MIME sections or large amounts of new text, replace
the subject line, and still have IIM say it was OK. This is the "bad
guys don't play by the rules" problem that bedevils all sorts of
security designs.
The above should address the subject line issue. The verifier can similarly
decide how much may be appended to the body: they have the original byte
count, and know how long the body is when they verify it. Maybe adding 10K to
a 200-byte body isn't acceptable, but I don't know how we could decide in the
spec what passes and what doesn't.
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"More Wiener schnitzel, please", said Tom, revealingly.
PS: My take on the mailing list question is that a list manager that
does anything more than forward messages untouched has created new
messages and it's up to the list host to sign them.
I agree that it should. The issue here is what to do when a list manager is
signature-unaware.
-Jim