Re: [EAI] SPF and DKIM

["Charles Lindsey" <chl at clerew.man.ac.uk>]

On Thu, 08 Mar 2007 06:49:23 -0000, abel <abelyang at twnic.net.tw> wrote:

> Do we discuss those more ?

> 2. DKIM
>     Header change (downgraded / drop ) maybe break the signatures,
>
> a downgraded mail keeps the original header can follow DKIM, but DKIM
> should know how to verify and reduction.

There are no simple answers to the question of EAI and DKIM, but there are  
some possibilities that might be worth exploring.

But first some general points. The first requirement is that DKIM  
verifiers should be able to recognise when they are being asked to verify  
a downgraded message (what they do then is less certain, but without that  
information they are totally stuck).

And the second is that you should include as few headers in the signature  
as will suffice to achieve the desired level of security. The more headers  
that are included in the signature, the less likely that any verification  
will be possible.
> 2.1 Downgrading after DKIM, some header value has changed by downgrading
>    procedue when transmits, DKIM verifier should restores 'Downgraded:'
>    header to verify, and all 'Downgraded:' headers are above
> 'DomainKey-Signature'
>    header.

Yes, that is one possible approach. In principle the changes specified in  
our 'downgrade' document should be reversible. In practice, it is not so  
sure how well that would work. It might be easier if DKIM included an even  
more relaxed canonicalization algorithm. And it is more likely to work the  
fewer headers covered by the signature (but, unfortunately, including the  
From header is a MUST).

> 2.2 Downgrading before DKIM, DKIM signs the downgraded headers, it's
> possible
>    to include 'h=Downgraded:' in 'DomainKey-Signature', all 'Downgraded:'
>    headers are under DomainKey-Signature header, DKIM verifier should  
> verify
>    all 'Downgraded:' headers if there are 'Downgraded' in tags 'h='
>
>    And we still need to more consideration about the downgrading impact   
> in
>    DomainKey-Signature  tags 'd=' (domain) 'i=' (sender) 'z=' (header  
> name
>    and header values in quoted-printable) or more.

Again, if the downgrade process is suffficiently well defined that all  
downgraders will produce exactly the same dongraded message, then signing  
that (even if what you send is the original utf8 form) would suffice. Even  
better, include two signatures, one for the original utf8 version (which  
should verify without problem at site that receive it in that form) and  
one for the downgraded version.
> If we drops header values (such as uFor or others ) and the headers are
> signed in
> 'DomainKey-Signature' will cause Domain Key verifier  treats as a bad
> signature
> if they do not appear ,especially in trace field, that's fine in trace  
> filed
> rule
> and DKIM siner/verifier issue.

Generally speaking, signing trace fields is a Bad Thing.

It is doubtful whether this WG should be looking into this issue in too  
much detail at this stage, but it is nevertheless useful to have some idea  
of what the problems and possibilities might be, since the matter will  
have to be settled at some stage.

--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 ;                      
   Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5

_______________________________________________
IMA mailing list
IMA at ietf.org
https://www1.ietf.org/mailman/listinfo/ima