[ietf-dkim] Re: signature construct
dotis at mail-abuse.org
Mon Oct 17 21:58:03 PDT 2005
On Tue, 2005-10-18 at 00:39 +0000, Mark Delany wrote:
> On Mon, Oct 17, 2005 at 05:09:01PM -0500, Earl Hood allegedly wrote:
> [ re body hashes ]
> > It also provides benefits in diagnostics, logging, auditing, and
> > dealing with multiple signatures.
> On the matter of diagnostics, while a binary indicator saying the
> cause of a failure is the header vs the content is mildly useful, I
> think the whole role of diagnostic mechanisms needs to much more
> comprehensive than this to be useful. It's one of the areas that we
> started focusing on heavily in DK - what additional diagnostic
> material can be supplied to help automate and categorize verification
> I would hazard that comprehensive, automated diagnostics should be
> available before finalizing canonicalization.
Much more can be done in the area of diagnostics. Capturing the body
hash would be useful and not add substantially to the overall overhead.
As Earl points out, it also allows the disposition of the signature to
be determined ahead of the data phase completing. This may allow
earlier execution of other checks, such as reputation checks on the IP
address, when the signature is found bad. Invalid hash should not
provide some acceptance value, and at some point the message may be
dropped as a result.
It might be handy to define a header diagnostic which lists header
checksums to also isolate which header is being damaged. I could draw
up some ideas.
More information about the ietf-dkim