----- Original Message -----
From: "Arvel Hathcock" <arvel(_at_)altn(_dot_)com>
To: "ietf-mailsig" <ietf-mailsig(_at_)imc(_dot_)org>
Sent: Wednesday, July 27, 2005 5:25 PM
Subject: Re: Better DKIM Verification Example Needed
Does the above mean the empty tag "b=;" is used or none?
Yes, use b=;
One clarification on that. If b= is the last tag in the signature (as
recommended by the spec) then you don't need the ; at the end and it
should
just be b= rather than b=;. The semicolon is required when there are
other
tags afterward. If b= is the last tag then the ; is not strictly
required.
It's not entirely clear whether a ; char following the last tag in a
signature would hash out in such a way as to cause a problem. We need to
test this and post back the results.
I tried every combination I can think of.
If we can extend the nowsp example, it would help:
Given:
DKIM-Signature: a=rsa-sha1; d=example.net; s=brisbane;
c=simple; q=dns; i=(_at_)eng(_dot_)example(_dot_)net;
h=A:B;
b=dzd.....YzR
A: <SP> X <CRLF>
B: <SP> Y <CRLF>
<SP> Z <CRLF>
<CRLF>
C <CRLF>
D <SP><TAB><SP> E <CRLF>
is canonicalized to:
According to the specs (as I read it):
a:X<CRLF>b:YZ<CRLF><CRLF>CDE
<CRLF>dkim-signature:a=rsa-sha1;d=example.net;
s=brisbane;c=simple;q=dns;i=(_at_)eng(_dot_)example(_dot_)net;h=A:B;
Does this look right?
It might help during field testing if a "debug tag" or header is used for
providing maybe the final canonicalized length and SHA1 hash. The l= tag
helps for the canonicalized body size, but we don't have a verification (for
testing across systems) for the remaining canonicalized buffer.
This will tremendously help reduce time (and money) in the wide dispense
area of development where engineers need to test all this. If a incoming
message fails, we need to have some level of debugging information so that
we don't lose hair over it :-)
My suggestion is a optional debug header that will help in the
canonicalization area.
DKIM-Signature-Debug:
fl=#; hl=#; bl=#; hh=#; bh=#; fh=#;
where
hl = total header canonicalized length
bl = total body canonicalized length
fl = final canonicalized length
hh = accommulated header hash (b64)
bh = accommulated body hash (b64)
fh = accommulated final hash (b64)
In most cases, it would be a short term debug header only, once field
testing is completed.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com