[ietf-dkim] New Issue: Base: Upgrade indication and protection
against downgrade attacks
Michael Thomas
mike at mtcc.com
Thu Feb 16 08:14:52 PST 2006
Stephen Farrell wrote:
>
> Mark,
>
> Now that I've reset the brain a bit:-)
>
> Mark Delany wrote:
>
>> The gap created by the signer is the problem here so the rule needs to
>> be that a signer must sign from strongest to weakest, WITH NO GAPS.
>
>
> The assumption that all signers and verifiers have the same idea of an
> absolute strength-order for hash algorithms is a bit optimistic.
>
> For example, some countries do insist on national algorithms being
> supported - see rfc 4357 for example. I don't think I want to get into
> a dispute about whether the Gost-hash is better or worse than sha-256
> (or whatever) - do you?
If you can't rank algorithms, is there any meaningful concept of a
"downgrade attack"?
I'm sort of wondering though if Mark's problem here might be just as
easily solved by having a "current"/"next" kind of routine. That is,
only allow two in play at any one time, where < n-1 is deprecated.
Considering that 2822 is not nimble (ie, no ability to negotiate
e2e), is there any real likelihood that a reasonable receiver will
be two versions behind? It sort of strikes me like 40 bit only rc4
ssl: should we even care about such lame receivers?
Mike
More information about the ietf-dkim
mailing list