IETF Logo Mail Archive

Re: [Ietf-dkim] Question about lone CR / LF

Dave Crocker <dcrocker@bbiw.net> Sat, 03 February 2024 19:29 UTC

Return-Path: <dcrocker@bbiw.net>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F198C137370 for <ietf-dkim@ietfa.amsl.com>; Sat, 3 Feb 2024 11:29:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.805
X-Spam-Level:
X-Spam-Status: No, score=-2.805 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bbiw.net header.b="JyAroQ1s"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="wZgifWCr"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LB5Cdaoc2dqM for <ietf-dkim@ietfa.amsl.com>; Sat, 3 Feb 2024 11:29:50 -0800 (PST)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A969C13AE3B for <ietf-dkim@ietf.org>; Sat, 3 Feb 2024 11:29:49 -0800 (PST)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 20C605C00A9; Sat, 3 Feb 2024 14:29:49 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Sat, 03 Feb 2024 14:29:49 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bbiw.net; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1706988589; x=1707074989; bh=17VGpHtFSl o1SG0ZLVzmDfu9Ulydvfv/SMGQsditNqA=; b=JyAroQ1sXX4zhVCTswYYN3HD2v 5FMMFuM0963pmEd28o4eTuEXyQWhM3IT7lLv7M19b5fgKJuLhk7C47Ern5mLdVT6 MOt2kPaR67SUzjf3Utml375r0UdSKFA/nRKLEz5QwATcc3pWMKHLzjk3ZYz7wgw4 ydkblkMaxz0/1haPxg0r7TkdXjlImHsMIbgXOzzPjJ7E6wDJAzbbu8Mtgad9vT4V UiS6yhZ3mQspLmICgCy0V7BkghX+wa3wsPcy19u8mmoYyZcQ8A/KM4ck3On63mO1 1WsYpRMy/6E5c2MbYdMEU+3nbYgzS+/7P4TNE/wcxtUkKJmVLf0Gu/52v01A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1706988589; x=1707074989; bh=17VGpHtFSlo1SG0ZLVzmDfu9Ulyd vfv/SMGQsditNqA=; b=wZgifWCrm155UQ8ca7YtYbRSLTZfhnDbTv4MOVZfGP6u TCNTbq/v2P4Ft/MB0x7i4yiaha5OCtAptn89nZlhV5fY/MR0Nm0sAjZ4BsJVcTQL izXYmShxQ/ppvHv9rN7r9fKXcNvhCJHFgWgXfjUi4oCyVcwAld/acTdL6o9Ker6h fVrZzOJTPOuV4OLJ853gU/RSE/jyvf9R21SH4sIfepvY2mW6Ymd+OveRldeZOIfj KUsAJEWPADMCaWTQBwFXGj7UUGy/7BF21ve65stOnrXYVTjuo2h7edz3ZA6vuM9F hFwtePsH0P/sGSxGxighSTt2LSG+FwmtWd5QpF+dZw==
X-ME-Sender: <xms:LJS-ZT-A89YBOk5zbDibUvUmgRJTgkK3-Vc-T8NEBvgI9TVzKyjCag> <xme:LJS-ZftQ8G7RxrtNOb6WIHsAsvVL0u08110Flay1W5pe-1rWXhzao9QUnZKTLY0rH 4Dw2HPDI6SW9btqHA>
X-ME-Received: <xmr:LJS-ZRBV2G3bQ5r67B_6fRXmrim1lxieFIDI4Xl5S12YuL3LCnULuI_W_P6REldxxpZ5hpeGRFhBvDhwTyyzjMNRyQA0Pc4dDyXFE0KX>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrfeduiedguddvvdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpegtkfffgggfuffvvehfhfhojgesrgdtreertddvjeenucfhrhhomhepffgr vhgvucevrhhotghkvghruceouggtrhhotghkvghrsegssghifidrnhgvtheqnecuggftrf grthhtvghrnhepvefhgeefleelffdvgeegueehkeeuleegffetveduvddvteetkeeifeev hefgleehnecuffhomhgrihhnpegssghifidrnhgvthenucevlhhushhtvghrufhiiigvpe dtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegutghrohgtkhgvrhessggsihifrdhnvght
X-ME-Proxy: <xmx:LJS-ZfcDLLHVnaEWfj1L_LtkJu784tTnvHOp81quGrrSXRf222jtaA> <xmx:LJS-ZYNeRRHONtj-kk3DVEVwrjhEglnVe1eYbY7GgfrXQT0Y829D4A> <xmx:LJS-ZRmMHekpzMzQQCeW9YTfq2096BptgQWaUQn1lJE1yhpimMD0FQ> <xmx:LZS-ZSUEVekScrx1tqUL-FD2ZRJPlcjc7HYzukR1wD0Qv5cUlE_DiA>
Feedback-ID: i16d9478d:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 3 Feb 2024 14:29:48 -0500 (EST)
Content-Type: multipart/alternative; boundary="------------eH8pHLb8zC0siBoBv0E0vkIl"
Message-ID: <46b0e4e6-898a-4ab3-a51c-cc54abb14891@bbiw.net>
Date: Sat, 03 Feb 2024 11:29:49 -0800
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: John R Levine <johnl@taugh.com>
Cc: ietf-dkim@ietf.org
References: <20240202043446.AAF26820F0AD@ary.qy> <52b5c2f3-e52f-403f-becf-813bbaf7b870@bbiw.net> <479a6ba4-db35-0305-a1bb-03dc1c9ec722@taugh.com>
From: Dave Crocker <dcrocker@bbiw.net>
Organization: Brandenburg InternetWorking
In-Reply-To: <479a6ba4-db35-0305-a1bb-03dc1c9ec722@taugh.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/05hWWZJEqc7gf_Vi1iZKuvuliD8>
Subject: Re: [Ietf-dkim] Question about lone CR / LF
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Feb 2024 19:29:55 -0000

On 2/3/2024 10:32 AM, John R Levine wrote:
> On Sat, 3 Feb 2024, Dave Crocker wrote:
>> Having a DKIM module check for one aspect of RFC5322 conformance 
>> raises a need to make it a full RFC5322 compliance engine.
>
> That's easy: no, it doesn't.
>
> Any DKIM signer or verifier already has a state machine looking for CR 
> and LF to do header or body canonicalization.  When the state machine 
> runs into a bare CR or LF, it has to do something. The only options 
> are to produce a wrong result, since there is no correct result, or no 
> result. (As I said in a recent note to Murray, which wrong result is 
> likely to vary depending on local file details.)  You seem to be 
> saying that as a matter of principle it should produce a wrong 
> result.  I'd rather not.


The state machine has to process /every/ character.  You are focusing on 
two that have special DKIM meaning, when occurring together, but that's 
too narrow.  In practical terms, the state engine is evaluating every 
character.

In focusing down so narrowly, you've missed the basic point I made:  
DKIM has no inherent reason to care about these characters' occurring in 
isolation.  DKIM is not a message validation engine. It is a 
DKIM-specific engine.  One more time:  DKIM has no requirement of its 
own that cares about a bare CR or bare LF.

If you think otherwise, please explain, in terms of DKIM syntax and 
semantics, independent of a general message format specification.

And the point I made was not that it was difficult to add code to raise 
an exception when one of them occurs on its own, but that DKIM is the 
wrong place to put the exception. And that makes it likely there will be 
a maintenance problem down the line.

Imagine, if you will, that the email format standard changes to make CR 
and LF acceptable to occur, each on their own.  This is not all the 
impossible, given that they were entirely legal in RFC 733 and RFC822.

In fact, upon reviewing the different versions, I see that they are 
/still /legal in RFC 2822 and RFC 5322 and RFC5322bis parsing, with some 
text implying why there was  a change from being fully legal.

/<rant> While I understand the explanation, I don't agree with the 
change, since I think it deals with local misbehaviors by changing 
global standards behaviors. More likely, the better way to think of it 
is that the global details have not been specified precisely enough.  So 
I think the fix is to define the semantics of each character globally 
and require local engines to match it, as they already have to do for 
newline. </rant>/

Hmmm... So it seems that the claim that they are illegal is not correct!

But let's continue the hypothetical that they are illegal. If/when they 
become legal, there has to be memory that DKIM treats them as illegal.

DKIM is not a general message parsing engine, so it entirely possible 
(likely) that the maintainer of DKIM code will not know to make the change.

Since DKIM does not need to care about bare occurrences of these 
characters, things are kept simpler and frankly easier to maintain, by 
having bare occurrences pass through as other characters do.  The fact 
that the appearance of a bare CR will raise a flag (or change a state) 
in case the next character is an LF is a distraction to the current 
issue.  It does not require failing the DKIM-specific parse, because in 
terms of what /DKIM /itself needs to care about, a bare CR and a bare LF 
are just characters like any other.

d/

-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker@mastodon.social

v2.23.0 | Report a Bug | By Email