ietf-mailsig
[Top] [All Lists]

Re: Goldilocks Canonicalization

2005-07-18 18:24:56


On Jul 18, 2005, at 5:13 PM, Michael Thomas wrote:

Douglas Otis wrote:

It seems DKIM could do better, as 'nowsp' will likely invite abuse

... senders always have the recourse to modify the body to
qp or b64 or use the the simple canonicalization instead. Other
suggestions have from what I've seen been wanting to slide right
down the complexity slippery slope for which I have a great deal
of problem -- we already have ability *before* you send the message
to DKIM to be signed.


What do you think of Earl Hood's suggestion? Is that going too far over the edge?

,---
| For the headers,
| 1. Strip all WSP characters at the end of each line of a header field,
|      before any unfolding is done.
|   2. Unfold any fields that are folded.
|   3. Convert field names to lowercase.
|
| For the body,
|   1. LWSP at the beginning of the body is removed.
|   2. All trailing WSP at the end of lines are removed.
|   3. Any lone CR or LF is converted to CRLF.
|   4. LWSP at the end of the body is removed.
| (5. Lines in excess of 2048 octets, should be wrapped prior to signing,
|      per Sendmail conventions.)
'---

I admit to being concerned by a potential for a replay problem, in addition to a failure rate due to canonicalization limitations. Perhaps Goldilocks is a reference to there being three choices? Perhaps a mode between 'simple' and 'nowsp' _is_ just right. : )

It seems most messages are not base64, so this will entail an additional base64 encoding prior to signing, which seems to go against your motto of doing no harm. I don't think quoted-printable conversion offers much in the way of protection from modifications that 'nowsp' allows. The goal of qp was to overcome character conversions and 7 bit limitations, but still allows normal ASCII text which includes these characters that MAY be escaped.

-Doug









<Prev in Thread] Current Thread [Next in Thread>