On 21.09.2023 at 00:30 John Levine wrote: > It appears that Gellner, Oliver via mailop <[email protected]> said: >>> Yes, I'm sure it does. >>> Using simple/simple canonicalization is not for people who want robust DKIM >>> signatures. >> >>The relaxed canonicalization of DKIM would fix this particular issue, >>but relaxed means both the signer and the verifier have to apply >>modifications to the content before signing/verifying, which might introduce >>new bugs or edge cases. ...
> The canonicalization is done as the library computes the hash, not by making
> a separate version of the message. We've had DKIM libraries doing relaxed
> signatures for over a decade and I don't ever recall a security bug related
> to that.
> There's a separate question about why relays are munging the headers but it
> usually comes down to, yeah, we know they shouldn't but it's not a high
> priority to fix.
The bugs don't have to be security related, they just lead to wrongly computed
DKIM signatures, because some implementations applied the steps defined in the
RFC for the relaxed canonicalization in a wrong way or wrong order or whatever.
For example as reported on this very list ("We already found some interesting
bits, like [...] mail-in-a-box using relaxed/simple for DKIM, which breaks
signature validity on long To: headers")
https://list.mailop.org/private/mailop/2023-February/024443.html or with Ciscos
appliances which "fail signing and verification messages with an empty body on
relaxed canonicalization" (bug ID CSCvh84754, but not publicly visible).
I'm not arguing against the relaxed canonicalization, just saying that it is
merely a workaround for the quirks in different MTAs and the actual solution
lies at fixing the behavior of those MTAs.
--
BR Oliver
________________________________
dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
[email protected]<mailto:[email protected]> * www.dmTECH.de<http://www.dmtech.de>
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher
________________________________
Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie
hier<https://www.dm.de/datenschutzerklaerung-kommunikation-mit-externen-493832>.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
