Murray S. Kucherawy wrote:
Please note that my patch checks the key's t tag when it verifies subdomain messages and it will verify the signature only if t=s doesn't exist there:On Mon, 14 Jan 2008, Murray S. Kucherawy wrote:It seems to me that this change within dkim_policy() causes it to deviate from the most recent published draft for SSP, which does not take into account the "t" flag on the key itself. The extent of "t=s" in the key record in particular is to consider the signature invalid if the message signed for a subdomain when the published key record explicitly prohibits such. This is part of RFC4871 and thus that decision process is complete before dkim_policy() is ever called. dkim_policy() is meant only to implement SSP, so making this change inside dkim_policy() isn't quite the right place to do it as the libdkim API is currently designed.To be more precise, step 1 of the SSP algorithm says: 1. If a valid Originator Signature exists, the message is not Suspicious, and the algorithm terminates. If your message is signed for a subdomain, thus: DKIM-Signature: ...; [EMAIL PROTECTED]; d=example.com; ... From: [EMAIL PROTECTED]...and the key claims "t=s", then this signature will not verify according to RFC4871. It's thus not a valid Originator Signature as defined in SSP and can't be considered to satisfy (1) in the SSP algorithm.
if ((sig->sig_flags & DKIM_SIGFLAG_NOSUBDOMAIN) == 0)Therefore, I think my patch is in concordance with RFC4871's definition of valid originator signature. On the other hand, your patch have the following flaws:
- don't test key's t tag when verifying subdomain signatures - use strlcpy() instead sm_strlcpy()As for SSP's t tag, the draft says that t=s only disable the given policy for its subdomains, hence you will have query the _ssp._domainkey.subdom.example.com if you want to obtain the SSP policy of a given subdomain. But, since all I'm interested in is checking whether the given signature is a valid originator signature or not, it doesn't make sense to verify SSP record at that point.
Granted, my patch could be improved by following changes:- dkim_signer should be populated before dkim_policy() call, making dkim_param_get() call unnecessary - if originator signature verification fails, the proper SSP policy should be found by querying the subdomain's SSP entry when the domain policy has t=s and identity is in a subdomain (eg. if sender is in subdom1.subdom2.domain.com, queries will be made in this order: domain.com, subdom2.domain.com, subdom1.subdom2.domain.com). - i tag and sender should match. A dkim_sig_signer() call would be the best way to accomplish that, but you need to remove that pesky "#if 0" before its definition ;)
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
