[ietf-dkim] Binary algorithms and algorithm spoofing during a transition.
Douglas Otis <dotis@mail-abuse.org> Tue, 25 April 2006 17:16 UTC
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FYR9H-0002hB-Gz for ietf-dkim-archive@lists.ietf.org; Tue, 25 Apr 2006 13:16:27 -0400
Received: from sb7.songbird.com ([208.184.79.137]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FYR9G-0003VO-4n for ietf-dkim-archive@lists.ietf.org; Tue, 25 Apr 2006 13:16:27 -0400
Received: from sb7.songbird.com (sb7.songbird.com [127.0.0.1]) by sb7.songbird.com (8.12.11.20060308/8.12.11) with ESMTP id k3PHFcW5014698; Tue, 25 Apr 2006 10:15:39 -0700
Received: from b.mail.sonic.net (b.mail.sonic.net [64.142.19.5]) by sb7.songbird.com (8.12.11.20060308/8.12.11) with ESMTP id k3PHFTBi014677 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-dkim@mipassoc.org>; Tue, 25 Apr 2006 10:15:29 -0700
Received: from [168.61.10.151] (SJC-Office-DHCP-151.Mail-Abuse.ORG [168.61.10.151]) (authenticated bits=0) by b.mail.sonic.net (8.13.6/8.13.3) with ESMTP id k3PHEtmM021117 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO) for <ietf-dkim@mipassoc.org>; Tue, 25 Apr 2006 10:14:55 -0700
Mime-Version: 1.0 (Apple Message framework v749.3)
Content-Transfer-Encoding: 7bit
Message-Id: <4BBFC5DA-7BDC-41AC-B85C-0FC4C64AF4D7@mail-abuse.org>
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
To: IETF-DKIM <ietf-dkim@mipassoc.org>
From: Douglas Otis <dotis@mail-abuse.org>
Date: Tue, 25 Apr 2006 10:15:13 -0700
X-Mailer: Apple Mail (2.749.3)
X-Songbird: Clean, Clean
Subject: [ietf-dkim] Binary algorithms and algorithm spoofing during a transition.
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Sender: ietf-dkim-bounces@mipassoc.org
Errors-To: ietf-dkim-bounces@mipassoc.org
X-SongbirdInformation: support@songbird.com for more information
X-Songbird-From: ietf-dkim-bounces@mipassoc.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4d87d2aa806f79fed918a62e834505ca
,--- | a= The algorithm used to generate the signature (plain-text; | REQUIRED). Verifiers MUST support "rsa-sha1" and "rsa-sha256"; | signers SHOULD sign using "rsa-sha256". See Section 3.3 for a | description of algorithms. | | ABNF: | | sig-a-tag = %x61 [FWS] "=" [FWS] sig-a-tag-alg | sig-a-tag-alg = "rsa-sha1" / "rsa-sha256" / x-sig-a-tag-alg | x-sig-a-tag-alg = hyphenated-word ; for later extension '___ Change to: : a= (plain-text or decimal representation of an 8-bit algorithm : number used to generate the signature; REQUIRED). The number : is defined in the algorithm table that supports the KEY, SIG, : DNSKEY, RRSIG, DS, and CERT RRs. See RFC3755 and : draft-ietf-dnsext-dnssec-rsasha256. : : Verifiers must support (3) RSA/SHA-1 and (tbd) RSA/SHA-256. : ABNF: : : sig-a-tag = %x61 [FWS] "=" [FWS] sig-a-tag-alg : sig-a-tag-alg = "rsa-sha1" / "rsa-sha256" / "3" / "tbd" : : Future algorithms will always be specified by number. When DKIM supports a binary key RR format, there will be a requirement to confirm an unknown algorithm is supported by the signer, when not supported by the verifier. This prevents an exploit where a signature may proffer a new algorithm and use of a binary key, but where the mapping of the text algorithm to a binary algorithm representation that can not be known in advance. As such, using a numeric designator ensures compatibility with future key specifications while also preventing algorithm spoofing during a transition phase, which may cause allowances to be erroneously granted. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
- [ietf-dkim] Binary algorithms and algorithm spoof… Douglas Otis