[ietf-dkim] draft-ietf-dkim-base-08 submitted
hsantos at santronics.com
Mon Jan 22 04:32:10 PST 2007
Charles Lindsey wrote:
> On Fri, 19 Jan 2007 14:36:42 -0000, Barry Leiba <leiba at watson.ibm.com>
>> Most of the changes that Eric made should be non-controversial,
>> involving clarifications and tweaking that have helped us (the draft
>> authors and the working group chairs) explain things to the IESG.
>> Regardless, though, of the non-controversial nature of those changes,
>> the chairs would like the working group to review the document fully.
> Simple Canonicalization
> The revised wording achieves what it was intended to achieve, namely
> that an empty/absent <body> result in a single <CRLF> to be hashed.
> What is not clear is WHY this alternative was chosen (as opposed to
> letting it result in an empty <body>).
> I hae repeatedly asked for a reason as to WHY this outcome is thought to
> be desirable, but no explanation has been forthcoming. So I ask the
> question again now.
> Note, this is not (yet) an objection to the draft - just a request for
IMO, I think it was obvious, but I'll take a shot.
When the l= tag is specifically set to a zero value (e.g., l=0), per
DKIM-BASE specification this means there is no hashing of the body,
regardless of size. As a consequence, technically, the body can be
altered and passed on.
When the l= tag is not zero, this means the body was hashed, including
the possibility of the l=2 condition where there was only two bytes
hashed which MAY OR MAYBE be <CRLF> bytes.
So you have three conditions:
l=0 No Body hashing (original body is not protected)
l=2 May or may not be empty (could be 2 non CRLF bytes)
l>2 Not an empty message, contains at least 1 byte.
So why would one hash a L=2 condition?
In order to distinguish between a hashing condition (l is not zero) and
a non-hashing condition (l is zero) and the special case where the body
is actually deemed SIMPLE c14n "empty", it might be desirable to hash
the SIMPLE c14n "empty" body to simply indicate that the *original
message body* was indeed EMPTY and not a case were the BODY was altered
to a zero size.
Lets suppose I signed all my mail headers only, but not the body. I
therefore have a L=0 tag in the DKIM-Signature. bh= is not defined.
Why I would I do this is out of scope, but of course, it makes our
message insecure and vulnerable to replay exploitations where the body
was altered and not the original. Nonetheless, the specs does allow for
a non-hashing body (l=0) provision.
We soon discover this is not a good idea and begin to hash the body.
Inevitably, we will come across an original message where the body is
reduced to a SIMPLE c14n "empty" message.
We can't use a L=0 concept because that opens the door for the above
body altering exploitation.
So we hash the SIMPLE c14n empty message with the <crlf> l=2 bytes to
indicate that the message was indeed "empty" and not some malicious body
altered message if l=0 was allowed to be used to indicate an "empty"
Hope that explains it.
More information about the ietf-dkim