[ietf-dkim] Proposal for specifying syntax and semantics for multiple signatures

Douglas Otis dotis at mail-abuse.org
Wed Apr 5 10:20:35 PDT 2006 

On Apr 5, 2006, at 4:49 AM, Arvel Hathcock wrote:
>> The validator either considers a signature "strong" enough or they  
>> don't.  That choice is the validator's and it does not matter in  
>> the least whether the signer agrees.
>
> Correct!  That is my view on the matter also.


A signer may need to add two signatures at differing strengths when  
responding to an exploitation risk while also ensuring their  
continued general acceptance when few verifiers have adopted a newer  
algorithm.

- A verifier is _expected_ to accept various levels of signature  
strength.

- A verifier _may_ consider some messages "unsigned" when the  
strength of the signature is deemed by verifier to be too weak.

- When a significant portion of messages are signed at some level, it  
will be problematic to dismiss these signatures.

- A widely used signature strength may be deemed unsatisfactory by a  
signer who responds by offering _two_ signatures.

- Until either the verifier is able to exclude the signature with the  
weaker algorithm, or the signer is able to apply only a single  
signature, the stronger of the two signatures will not offer added  
protection.

The loss of protection is due to a lack of signer communication to  
the verifier.  Without causing a sizable disruption, this missing  
information will create perhaps a sizable period of exposure to an  
exploit well beyond the control of the signer.  The general design  
should minimize interchanges needed to communicate a desired strength  
offered by the signer.  This communication will prevent a "down- 
grade" exploitation from being successful.  This information can be  
carried in a number of ways.

This information can be carried within the key of the weaker  
signature.  An "alternative algorithm" field could be added to  
indicate this signature is _always_ accompanied by a signature based  
on this alternative algorithm.  A primary/secondary flag does this as  
well, and permits a general matrix of options while consuming a  
single bit of information.

Wrapping a stronger signature with a weaker signature assumes there  
is only a partial failure of the weaker algorithm.

Not all mail is the same.  Resources expended to compromise some  
email may be focused and affect only a small percentage of the  
signers.  DKIM should ensure this targeted minority of critical email  
signers can quickly respond, and that verifier are not susceptible to  
a "down-grade" exploit.

-Doug

More information about the ietf-dkim mailing list