[ietf-dkim] RFC4871bis - whether to drop -- h: Acceptable hash algorithms
Murray S. Kucherawy
msk at cloudmark.com
Mon Jun 8 02:53:12 PDT 2009
> -----Original Message-----
> From: Douglas Otis [mailto:dotis at mail-abuse.org]
> It seems suitable to either reject or annotate a stern warning, those
> messages where the domain refutes the algorithm claimed in the DKIM
I'm still not convinced, but you have me thinking about it.
You're claiming that an attacker might craft a message claiming to use a hash called something like MD6, and the absence of "h=md6" in the corresponding key named by "d=" and "s=" in the signature should cause a rejection or an appropriate annotation. But that would presuppose the "a=" in the signature contains something like "rsa-md6" and, further, that the verifier knows what that means. Otherwise, wouldn't the verifier in that case just kick the signature out claiming an unknown signing algorithm?
Given that there are currently only two possible values for "a=" in a signature, the only actual attack vector here is an "rsa-sha1" signature from a site that claims "h=sha256" or vice-versa.
Is that still something about which we should be concerned?
More information about the ietf-dkim