[ietf-dkim] RE: How MALLET PERFORMS a DOWNGRADE ATTACK
pbaker at verisign.com
Thu Aug 3 07:01:17 PDT 2006
> From: Stephen Farrell [mailto:stephen.farrell at cs.tcd.ie]
> Alice also had the option of sequentially signing if she
> considers one alg better than the other.
Think it through, does not work, Mallet can still spoof because there is no way for Alice to say expect the sequential signature.
Mallet can create a complete forgery with ZSA.
Without policy language support anyone who advertises a less supported algorithm is open to spoofing.
> > Alice MUST have a way to state "I always sign with BOTH ZSA
> AND RSA2048".
> Sure - invent an "zsaandrsa2048" algorithm:-) Bit I don't see
> the reason for the MUST, since this only affects a Bob who's
> happy with rsa2048, and who is therefore vulnerable to
> whatever problems exist for that algorithm regardless of
> Alice's policy.
Bob does not see the RSA2048. Mallet only includes a fake sig for ZSA.
> > In effect the lack of the AND policy statement means that
> it will never be possible to upgrade to a new algorithm
> without rendering the policy specification void.
> There may or may not be a need for a separate AND construct
> but that's another layer of detail.
No, has to be in base.
> If you could state an advantage in terms of collision-dodgy
> signature/hash algorithms then maybe it'd convince folks more.
> (Or, maybe not, we'll see.)
> And again - you've not said what's new here that causes us to
> end up with a different answer about this compared to when
> the WG considered it for base? (Or maybe you did and I missed it;-)
We are discussing the policy issue, not base.
More information about the ietf-dkim