ietf-mailsig
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Better DKIM Verification Example Needed

2005-07-27 15:31:04
from [Hector Santos] [Permanent Link] 


----- Original Message -----
From: "Arvel Hathcock" <arvel(_at_)altn(_dot_)com>
To: "ietf-mailsig" <ietf-mailsig(_at_)imc(_dot_)org>
Sent: Wednesday, July 27, 2005 5:25 PM
Subject: Re: Better DKIM Verification Example Needed



Does the above mean the empty tag "b=;" is used or none?


Yes, use b=;


One clarification on that.  If b= is the last tag in the signature (as
recommended by the spec) then you don't need the ; at the end and it

should

just be b= rather than b=;.   The semicolon is required when there are

other

tags afterward.  If b= is the last tag then the ; is not strictly

required.

It's not entirely clear whether a ; char following the last tag in a
signature would hash out in such a way as to cause a problem.  We need to
test this and post back the results.


I tried every combination I can think of.

If we can extend the nowsp example, it would help:

Given:

   DKIM-Signature: a=rsa-sha1; d=example.net; s=brisbane;
      c=simple; q=dns; i=(_at_)eng(_dot_)example(_dot_)net;
      h=A:B;
      b=dzd.....YzR
   A: <SP> X <CRLF>
   B: <SP> Y <CRLF>
    <SP> Z <CRLF>
   <CRLF>
   C <CRLF>
   D <SP><TAB><SP> E <CRLF>

      is canonicalized to:

According to the specs (as I read it):

   a:X<CRLF>b:YZ<CRLF><CRLF>CDE
   <CRLF>dkim-signature:a=rsa-sha1;d=example.net;
   s=brisbane;c=simple;q=dns;i=(_at_)eng(_dot_)example(_dot_)net;h=A:B;

Does this look right?

It might help during field testing if a "debug tag" or header is used for
providing maybe the final canonicalized length and SHA1 hash.   The l= tag
helps for the canonicalized body size, but we don't have a verification (for
testing across systems) for the remaining canonicalized buffer.

This will tremendously help reduce time (and money) in the wide dispense
area of development where engineers need to test all this.   If a incoming
message fails, we need to have some level of debugging information so that
we don't lose hair over it :-)

My suggestion is a optional debug header that will help in the
canonicalization area.

   DKIM-Signature-Debug:
         fl=#; hl=#; bl=#; hh=#; bh=#; fh=#;

where

   hl    = total header canonicalized length
   bl    = total body canonicalized length
   fl    = final canonicalized length
   hh    = accommulated header hash (b64)
   bh    = accommulated body hash (b64)
   fh    = accommulated final hash (b64)

In most cases, it would be a short term debug header only, once field
testing is completed.

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Better DKIM Verification Example Needed, Michael Thomas
Next by Date:  Re: QUERY: Key Server Choices, Andrew Newton
Previous by Thread:  Re: Better DKIM Verification Example Needed, Earl Hood
Next by Thread:  Re: Better DKIM Verification Example Needed, Michael Thomas
Indexes:  [Date] [Thread] [Top] [All Lists]