[ietf-dkim] Proposal for specifying syntax and semantics for
multiple signatures
Eric Rescorla
ekr at rtfm.com
Sun Apr 2 05:45:22 PDT 2006
Douglas Otis <dotis at mail-abuse.org> writes:
> On Sat, 2006-04-01 at 21:56 -0800, Dave Crocker wrote:
>>
>> Barry Leiba wrote:
>> > And I'd like to get us to close on two other discrete parts:
>> > 1. Whether we want to have a mechanism to let the signature survive
>> > the reordering of multiple sig headers or not.
>> ...
>> > 2. Whether we want to be able to detect the removal of a signature
>> > header (as perhaps in the case of a "stronger" one and leaving a
>>
>>
>> My question for each is why?
>>
>> To do either of these requires additional mechanism.
>
> Yes for 2. Perhaps a simple mechanism added optionally.
>
>> So the question is what benefit will accrue... and why that benefit
>> is essential to a task of the type DKIM is intended to perform?
>
> Transitioning algorithms in signed email may take long periods of time.
> When there are exploits possible with a prior algorithm being phased-
> out, until it is possible to ensure acceptance with just the newer
> convention, including both conventions will be required. This period
> could span a significant amount of time, and depend upon the motivation
> of all verifiers.
>
> Not have a mechanism to detect when the stronger signature is missing
> means even when the verifier does support a newer convention, the
> exploit remains possible, even for those verifiers that care about the
> problem. Selectively sending or verifying adds a greater amount of
> overhead.
Can you explain what "the exploit" means in this context?
I understand that technically you're talking about stripping out
the stronger signature, but under what set of circumstances do you
believe that this is useful as an attack?
-Ekr
More information about the ietf-dkim
mailing list