[ietf-dkim] Re: signature construct
Amir Herzberg
herzbea at macs.biu.ac.il
Fri Oct 14 05:09:09 PDT 2005
Stephen Farrell wrote:
>
> Folks - was Earl's idea considered before?
I must admit, I thought this is what we do... definitely, we _should_
do....
<skip>
>
> PS: Just so's I can reconstruct it for myself later, the construct
> might end up something like:
> body-hash = Hash1(nonce, body)
I think more like:
body-hash = Hash(C14n(body))
i.e.: no nonce (a nonce in input to hash ? I think may make it easier to
find collisions, not harder...); and explicitly apply the (specified)
C14n alg. to the body, don't mix it with the crypto-hash operation.
> sig-bits = Private-key(Hash2(nonce,header-stuff, body-hash))
sig-bits = Sign_s(headers)
Where:
s is the private signing key of the DKIM-signer (sender, sending
MTA, etc.)
Sign is the selected signature algorithm, including any hash
compuation which is part of the signing algorithm, e.g. RSA_SHA1, ECDSA_256
headers is the list of included headers, and normally/always
includes body-hash (why specify it separately?)
nonce again removed for same reasons...
--
Best regards,
Amir Herzberg
Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Try TrustBar - improved browser security UI:
http://AmirHerzberg.com/TrustBar
Visit my Hall Of Shame of Unprotected Login pages:
http://AmirHerzberg.com/shame
More information about the ietf-dkim
mailing list