[dkim-dev] need an interpretation of the base spec

Michael Thomas mat at cisco.com
Tue Jun 3 15:38:58 PDT 2008 

I'm pretty sure I agree with Murray... but what does my reflector do? :)

       Mike

Tony Hansen wrote:
> I need an interpretation of the base spec here.
>
> RFC 4871 section 3.5:
>     b=  The signature data (base64; REQUIRED).  Whitespace is ignored in
>         this value and MUST be ignored when reassembling the original
>         signature.  In particular, the signing process can safely insert
>         FWS in this value in arbitrary places to conform to line-length
>         limits.  See Signer Actions (Section 5) for how the signature is
>         computed.
>
>     ABNF:
>
>         sig-b-tag       = %x62 [FWS] "=" [FWS] sig-b-tag-data
>         sig-b-tag-data  = base64string
>
> RFC 4871 section 3.7:
>
>     2.  The DKIM-Signature header field that exists (verifying) or will
>         be inserted (signing) in the message, with the value of the "b="
>         tag deleted (i.e., treated as the empty string), canonicalized
>         using the header canonicalization algorithm specified in the "c="
>         tag, and without a trailing CRLF.
>
> The test case has a DKIM signature that looks like this:
>
> DKIM-Signature: v=1; q=dns/txt; d=example.com; s=sel1; a=rsa-sha256;^M
>       h=Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:^M
>       From:Date:To; bh=HryPFX2R6r7JPsX1Z7+yReZddQR2PjvCvdXgaxW5QYU=; b=^M
>       dMozOMJVKhnCk7NnC7lqWIdhwU7Jv3DzAmoEC+Ums0KqAe9FOhqPCtbCAN^M
>       061sS2aiKRDA8pzjTeFBsF40yDuYyvJ85ZY1PR5O736DeBEHGw3QX3s9/^M
>       LRFcqXV2na7YkJorUyMm4BXDSgmpW3TR8GiiUNXXKaHeucvxxOr3Lq0g=^M
>
> Note how the "b=" is separated from the hash key by the CRLF and white 
> space.
>
> Now the question: Does the "value of the 'b=' tag" (that is deleted per 
> section 3.7) mean 1) exactly the sig-b-tag-data, or 2) does it include 
> the [FWS] between the "=" and the sig-b-tag-data?
>
> Depending on the order you do the remove and canonicalization, and your 
> answer to the above question, if #1, then the canonicalized form of the 
> DKIM-Signature will use
> 	c=simple	"b=     "
> 	c=relaxed	"b= "
>
> And if #2, then the canonicalized form of the DKIM-Signature will use
> 	c=either	"b="
>
> I've seen two different interpretations of this. Of 3 different 
> reflectors I got responses from, 2 appear to follow #2 and 1 appears to 
> follow #1. One version of my own code is whitespace-preserving, as in 
> #1, but another set of code I wrote is not, as in #2. Argh!
>
> Right now, I'm leaning towards thinking that #2 is correct. What say the 
> rest of you?
>
> 	Tony Hansen
> 	tony at att.com
> _______________________________________________
> dkim-dev mailing list
> dkim-dev at mipassoc.org
> http://mipassoc.org/mailman/listinfo/dkim-dev
>

More information about the dkim-dev mailing list