On Sun 30/Aug/2020 14:07:33 +0200 Douglas E. Foster wrote:
Since we are designing a system that allows a mediator to alter Subject and
Body, it should be no surprise that the conditional signature has the potential
for re-use. A well behaved mediator must be assumed before any such trust
delegation is granted.
I see no way to ensure that the conditional signature is single-use. As long as
all of the signature's hashed content can be replicated onto another message,
the signature can be reused.
Yes. That's true for any DKIM signature, in particular if using l=, which
allows to append varying content.
The more important question is whether conditional signature could be subject
to third-party attacks. Does the limited and predictable content of a
conditional signature intcrease the risk that a bad guy could use
guess-and-test to construct a valid signature block for someone else?
If you have the signature, you presumably have the whole message. So there's
no need to guess. It is enough to keep signed header fields, presumably From:,
Message-Id: (which is random, btw), and Date:. All the rest can be changed at
will.
DKIM uses the body content in two different hash calculations. This severely
limits the ability of an attacker to find and exploit a hash collision. The
conditional signatures seem unlikely to have that strength.
Even if the hash covers few data, finding a collision is not any easier.
According to dkim-conditional, an attacker would need a private key of the
domain pointed by !fs=. That limits exploits substantially. Using vanilla
weak signatures (e.g. to be compatible with v=1 verifiers) allows replaying at
recipient's discretion, a state of affairs loosely comparable to p=none.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
