[ietf-dkim] We are actually disagreeing on the point of policy
Was RE: 1368 straw-poll
stephen.farrell at cs.tcd.ie
Tue Feb 27 07:57:24 PST 2007
Hallam-Baker, Phillip wrote:
>> From: Stephen Farrell [mailto:stephen.farrell at cs.tcd.ie]
>> Hi Phill,
>> Hallam-Baker, Phillip wrote:
>>> The sequence of events hypothesized is:
>>> 1) Sender determines that the existing algorithm is deprecated
>>> 2) In response to (1) sender prepares to support an additional
>>> signature algorithm
>>> 3) In order to support (2) sender publishes an additional
>> key record
>>> for the new algorithm
>>> 4) Mallet starts sending bogus messages with forged signatures
>>> purporting to be under the new key
>>> 5) Receivers that have not yet upgraded to support the new
>> algorithm are unable to determine that the messages with
>> forged signatures are inconsistent with the signer's policy.
>> I think that that is clear. However, what do you say to the
>> fact that anyone can produce a message with a bad signature
>> that does adhere to such a policy? (By looking up the policy
>> or copying a real example.)
> The two examples you give are entirely different.
No. I just wasn't clear. My point was that a bad guy most likely
doesn't have to lookup policy (via DNS) if he sees a message that
conforms - that's enough to derive loads of new messages that do
(probably) conform to the published policy. I wasn't considering
strict replay, only totally bogus messages.
> Case 2: Policy at Paypal is 'I always sign with at least A'
> 1) If any signature under the paypal.com domain is valid the message is accepted.
> 2) If there is no signature whatsoever the message goes in the bit bucket
> 3) If there is no signature with A the message goes in the bit bucket
> 4) If there was a signature with a key record in A for an algorithm that is not understood then process the message using content filtering.
Eh..didn't you leave out:
5) Everything is policy-conformant, the receiver understands A,
but the signature bits are just wrong (since the message is
That's the case I want to know about, since if that is really a
problem I see no clear benefit in the "...with at least A" part of
the SSP statement.
More information about the ietf-dkim