[ietf-dkim] Final update to 4871bis for working group review
presnick at qualcomm.com
Fri Jul 8 10:51:39 PDT 2011
I want to try to be precise, which I don't think Charles is being with
his below two sets of "facts". Let me try to clarify:
On 7/8/11 5:52 AM, Charles Lindsey wrote:
> 1. The fact that DKIM choose headers to sign from the bottom up (for good
> reason) facilitates certain attacks (not against DKIM, but certainly
> against somone/something) needs to be drawn to the attention of
> implementors of identity assessors, so that they can take appropriate
What Charles have written above is not true, or at the very least
extremely imprecise and confusing. Try this:
1a. The fact that DKIM signers can (optionally) sign a message in such a
way that header fields can be added to the top of the message by
intermediaries without invalidating the signature means that unsigned
header fields can appear at the top of a validly signed message needs to
be drawn to the attention of implementors...
1b. The fact that DKIM signers can sign header fields with all manner of
unverified data in them, including header fields that might violate the
syntax requirements of RFC 5322, without invalidating the signature
means that header fields with unverified data can appear in an validly
signed message needs to be drawn to the attention of implementors...
I *believe* what I said contains all of the information that Charles
wrote in his #1. If I missed something, please say.
But I also believe that the current security considerations section
*says* all that. If you think it doesn't capture something in the above
two statements, please say.
> 2. The fact that an attacker (whilst following DKIM to the letter) can use
> it, in conjunction with duplicated headers, to add credence to his message
> also needs to be drawn to their attention.
That one is simply bogus. The document repeatedly (and correctly) states
that having a DKIM signature *does not*, and *ought not*, in an of
itself, add any credence to a message. If that needs to be made clearer,
I'm all for it. But I think it is currently perfectly clear in the document.
In any event, neither of Charles suggested additions captured what I
have written above. I believe the current text does.
Qualcomm Incorporated - Direct phone: (858)651-4478, Fax: (858)651-1102
More information about the ietf-dkim