ietf-mailsig
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: alternate key server mechanisms

2005-07-27 20:59:11
from [Arvel Hathcock] [Permanent Link] 

I completely don't understand (which shouldn't surprise anyone by now).
How can a policy lookup be avoided with each and every verification if the purpose of the policy semantics are to "allow the sender to describe their signature policy in sufficient detail that the lack of a signature header that 
complies with the policy can be understood to indicate a forgery."
How can a verifier know whether a signature "compiles with the policy" unless it query for the policy always? 

--
Arvel
----- Original Message ----- From: "Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com> 
To: <arvel(_at_)altn(_dot_)com>; "ietf-mailsig" 
<ietf-mailsig(_at_)imc(_dot_)org>
Sent: Wednesday, July 27, 2005 4:48 PM
Subject: RE: alternate key server mechanisms




[mailto:owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Arvel 
Hathcock



> Separately we need to modify the policy document so
> that the signing policy can state the q= options that
> may be contained in a signature.

Here you are moving beyond the realm of the optional I think.


Making the extension mechanism work is not an optional work item for the
WG as the AD has already stated in the security review:

  "Neither DomainKeys nor IIM makes use of certificates.  The goal is
to
  start with something simple; something that does not dependent on the
  deployment of an infrastructure.  The question is: what is simple
  enough?  The solution needs to be complex enough to support the
  evolution to a supporting infrastructure; however, there are also
  concerns with incrementally adding things.  One must ensure that the
  final architecture is not more complex than deploying an
  infrastructure from the beginning."

  "Overall complexity must be considered.  Enhanced deployment may be a
  reasonable justification for incrementally developing technology.
  Minimizing specification time at the cost of deployment complexity is
  not such a justification."


Additionally, this move would require a policy lookup on each
signature
check in order to determine what q= values were acceptable
wouldn it not?


No, the rules are just the same as before. You ONLY need to check the
policy record if:

* There is no signature on the message
* None of the signatures present can be verified by the receiver
* The message has been modified
* The signature format is not supported

The last condition could be because:

* The signature uses an unsupported algorithm
* The signature uses an unsupported key retrieval mechanism
* The signature uses an unsupported canonicalization mechanism

These are all problems that the policy mechanism MUST solve. Consider:

  "Nieither DomainKeys nor IIM does a good job specifying the
  Cryptographic algorithms.  Both require RSA (probably the PKCS#1
  version 1.5 variant) and SHA-1.  This is a fine choice, but the
  specification needs to handle other algorithms too.  It is not clear
  how one would migrate to ECDSA with SHA-256, for example."

The policy record needs to allow the sender to describe their signature
policy in sufficient detail that the lack of a signature header that
complies with the policy can be understood to indicate a forgery.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: dkim support for identity "assessment" mechanisms, John Levine
Next by Date:  Re: revised Proposed Charter, Arvel Hathcock
Previous by Thread:  RE: alternate key server mechanisms, Hallam-Baker, Phillip
Next by Thread:  Re: alternate key server mechanisms, Earl Hood
Indexes:  [Date] [Thread] [Top] [All Lists]