Douglas Otis <[EMAIL PROTECTED]> writes: > On Sat, 2006-04-01 at 21:56 -0800, Dave Crocker wrote: >> >> Barry Leiba wrote: >> > And I'd like to get us to close on two other discrete parts: >> > 1. Whether we want to have a mechanism to let the signature survive >> > the reordering of multiple sig headers or not. >> ... >> > 2. Whether we want to be able to detect the removal of a signature >> > header (as perhaps in the case of a "stronger" one and leaving a >> >> >> My question for each is why? >> >> To do either of these requires additional mechanism. > > Yes for 2. Perhaps a simple mechanism added optionally. > >> So the question is what benefit will accrue... and why that benefit >> is essential to a task of the type DKIM is intended to perform? > > Transitioning algorithms in signed email may take long periods of time. > When there are exploits possible with a prior algorithm being phased- > out, until it is possible to ensure acceptance with just the newer > convention, including both conventions will be required. This period > could span a significant amount of time, and depend upon the motivation > of all verifiers. > > Not have a mechanism to detect when the stronger signature is missing > means even when the verifier does support a newer convention, the > exploit remains possible, even for those verifiers that care about the > problem. Selectively sending or verifying adds a greater amount of > overhead.
Can you explain what "the exploit" means in this context? I understand that technically you're talking about stripping out the stronger signature, but under what set of circumstances do you believe that this is useful as an attack? -Ekr _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
