Paul Hoffman wrote:
> At 8:49 AM -0400 4/30/06, Tony Hansen wrote:
>> Paul Hoffman wrote:
>> > It is up to the verifier to decide how much effort after the first
>>> attempt it wants to do. The cost to the verifier is a doing multiple
>>> hashes, not doing multiple signature validations.
>>
>> Ummm, we don't currently run a hash of the headers, just the body.
>
> Umm, yes we do. See section 3.7:
> In hash step 2, the signer or verifier MUST pass the following to the
> hash algorithm in the indicated order.
>
> Digital signature algorithms almost always encrypt a hash of the data,
> not the data itself, because the encryption and decryption steps are so
> expensive.
>
>> We
>> currently do the signature validation based on the actual headers, the
>> body hash, and the dkim-signature. So doing such a verification *would*
>> require multiple signature validations.
>
> A verifier using heuristics (not specified in the spec) would do the
> following:
>
> 1) Look at the hash in the signature.
Paul, which hash where? There is no hash in the dkim signature for the
headers, only a hash for the body and the resulting signature.
Now, *if* there were a header hash in the signature, each of your other
steps 2-4 would be accurate. But there isn't, which is why the algorithm is:
1) calculate the body hash
2) verify the hash of the body
2a) if desired, apply heuristics to body and repeat from 1
3) verify the signature using RSA
3a) if desired, apply heuristics to headers and repeat from 3
If you're going to apply heuristics to the headers, you can't get away
from recalculating the RSA signature after each application of the
heuristics.
Tony Hansen
[EMAIL PROTECTED]
> 2) Marshall the hash as specified in dkim-base.
>
> 3) Perform the hash function. See if the result is the same as the one
> from step 1.
> 3a) If yes, go to step 5.
> 3b) If no, go to step 4.
>
> 4) Modify the verifier's internal view of the message in some heuristic
> way and marshall the hash. Go to step 3.
>
> 5) Check that the signature over the hash in the message verifies.
>
> Again, steps 3a and 4 should not be in the base spec, but they should
> also not be prohibited by the base spec.
>
>> It's been suggested that we adopt another tack, and use a hash of the
>> headers as well as a hash of the body. So the actual signature
>> validation would be on two hashes along with the rest of the
>> dkim-signature header field.
>>
>> This particular suggestion hasn't received any traction as yet.
>
> Nor should it. The header format in base-01 is fine for the cryptography
> involved.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
