-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Conjecture: There are counter examples where things are suboptimal for
any algorithm you can specify.
Corollary: Yes, we can come up with examples where internal whitespace
is significant. Yes, we can come up with examples where trailing
whitespace is significant. Yes, we can come up with examples where
trailing trailing newlines are significant. (If you can't, try harder.)
The question for me is: How much do the different algorithms affect
security for typical use? And how much does the security degrade when
the non-optimal case is present? And is that acceptable?
Tony Hansen
tony(_at_)att(_dot_)com
Earl Hood wrote:
On July 17, 2005 at 00:27, domainkeys-feedbackbase02(_at_)yahoo(_dot_)com
wrote:
X I = I + 1;
is a comment, where as:
X I = I + 1;
is not.
So, if you have a canonicalization algorithm that ignores spaces,
you could reinject an email that has the X in the comment column
with an email that has the X in a non-comment column, thus
completely changing the semantics of the content, yet the signature
still verifies.
A good example that the nowsp algorithm in the DKIM draft is not
acceptable. Basically, when whitespace is significant, it should not
be eliminated. That is why only trailing whitespace at the end of
lines should be done (along with removing LWSP at end of entities).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFC2rydxsSylYhzrRYRAjDVAKDEnwnOlpy0kcy6zo71+wcXL5P/pgCePZo0
gP47sSJ2pDGoechh/kZyf2Q=
=zurB
-----END PGP SIGNATURE-----