[ietf-dkim] RFC4871 interoperability conflict over "h= " tag
sm at resistor.net
Tue Jan 11 15:42:39 PST 2011
At 14:33 11-01-11, McDowell, Brett wrote:
>RFC 4871 states:
> > h= Acceptable hash algorithms (plain-text; OPTIONAL, defaults to
> > allowing all algorithms). A colon-separated list of hash
> > algorithms that might be used. Signers and Verifiers MUST
> > support the "sha256" hash algorithm. Verifiers MUST also support
> > the "sha1" hash algorithm.
>We have a DKIM-signed mail stream that is "passing" with Receiver1
>but failing with Receiver2 and it's Receiver2 who has a "new"
>interpretation of the requirement above. Here are the two
>interpretations, please let me know which is generally considered
>correct (of if both are wrong):
You can DKIM sign with SHA1 or SHA256 as the verifier supports
both. Your DKIM signing implementation has to implement SHA256.
If the DKIM verifier sees a DKIM-Signature using SHA1 while the DKIM
signer publishes h=
sha256, see Section 6.1.2, step 7.
More information about the ietf-dkim