[ietf-dkim] draft-ietf-dkim-base-08 submitted

Hector Santos hsantos at santronics.com
Mon Jan 22 04:32:10 PST 2007 

Charles Lindsey wrote:
> On Fri, 19 Jan 2007 14:36:42 -0000, Barry Leiba <leiba at watson.ibm.com> 
> wrote:
> 
>> Most of the changes that Eric made should be non-controversial, 
>> involving clarifications and tweaking that have helped us (the draft 
>> authors and the working group chairs) explain things to the IESG. 
>> Regardless, though, of the non-controversial nature of those changes, 
>> the chairs would like the working group to review the document fully.
> 
> Simple Canonicalization
> 
> The revised wording achieves what it was intended to achieve, namely 
> that an empty/absent <body> result in a single <CRLF> to be hashed.
> 
> What is not clear is WHY this alternative was chosen (as opposed to 
> letting it result in an empty <body>).
> 
> I hae repeatedly asked for a reason as to WHY this outcome is thought to 
> be desirable, but no explanation has been forthcoming. So I ask the 
> question again now.
> 
> WHY?
> 
> Note, this is not (yet) an objection to the draft - just a request for 
> explanation.

IMO, I think it was obvious, but I'll take a shot.

When the l= tag is specifically set to a zero value (e.g., l=0), per 
DKIM-BASE specification this means there is no hashing of the body, 
regardless of size.   As a consequence, technically, the body can be 
altered and passed on.

When the l= tag is not zero, this means the body was hashed, including 
the possibility of the l=2 condition where there was only two bytes 
hashed which MAY OR MAYBE be <CRLF> bytes.

So you have three conditions:

   l=0    No Body hashing (original body is not protected)
   l=2    May or may not be empty (could be 2 non CRLF bytes)
   l>2    Not an empty message, contains at least 1 byte.

So why would one hash a L=2 condition?

In order to distinguish between a hashing condition (l is not zero) and 
a non-hashing condition (l is zero) and the special case where the body 
is actually deemed SIMPLE c14n "empty", it might be desirable to hash 
the SIMPLE c14n "empty" body to simply indicate that the *original 
message body* was indeed EMPTY and not a case were the BODY was altered 
to a zero size.

Example:

Lets suppose I signed all my mail headers only, but not the body. I 
therefore have a L=0 tag in the DKIM-Signature. bh= is not defined.

Why I would I do this is out of scope, but of course, it makes our 
message insecure and vulnerable to replay exploitations where the body 
was altered and not the original.  Nonetheless, the specs does allow for 
a non-hashing body (l=0) provision.

We soon discover this is not a good idea and begin to hash the body.

Inevitably, we will come across an original message where the body is 
reduced to a SIMPLE c14n "empty" message.

We can't use a L=0 concept because that opens the door for the above 
body altering exploitation.

So we hash the SIMPLE c14n empty message with the <crlf> l=2 bytes to 
indicate that the message was indeed "empty" and not some malicious body 
altered message if l=0 was allowed to be used to indicate an "empty" 
message.

Hope that explains it.


---
HLS

More information about the ietf-dkim mailing list