IETF Logo Mail Archive

Re: [ietf-dkim] versions, Where is the formal definition of DKIM-Signature?

"John Levine" <johnl@taugh.com> Fri, 09 February 2018 00:36 UTC

Return-Path: <ietf-dkim-bounces@mipassoc.org>
X-Original-To: ietfarch-ietf-dkim-archive@ietfa.amsl.com
Delivered-To: ietfarch-ietf-dkim-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 681B412DA29 for <ietfarch-ietf-dkim-archive@ietfa.amsl.com>; Thu, 8 Feb 2018 16:36:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.79
X-Spam-Level:
X-Spam-Status: No, score=-1.79 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1536-bit key) reason="fail (message has been altered)" header.d=iecc.com header.b=BRqU3MEz; dkim=fail (1536-bit key) reason="fail (message has been altered)" header.d=taugh.com header.b=eRkVNGWi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N_rEjScQO1_K for <ietfarch-ietf-dkim-archive@ietfa.amsl.com>; Thu, 8 Feb 2018 16:36:18 -0800 (PST)
Received: from simon.songbird.com (simon.songbird.com [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A37AA12D96B for <ietf-dkim-archive@ietf.org>; Thu, 8 Feb 2018 16:36:18 -0800 (PST)
Received: from simon.songbird.com (simon.songbird.com [127.0.0.1]) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id w190ZQDL004683; Thu, 8 Feb 2018 16:35:27 -0800
Authentication-Results: simon.songbird.com; dkim=fail reason="verification failed; unprotected key" header.d=iecc.com header.i=@iecc.com header.b=BRqU3MEz; dkim-adsp=none (unprotected policy); dkim-atps=neutral
Received: from gal.iecc.com (gal.iecc.com [64.57.183.53]) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id w190ZMB5004673 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <ietf-dkim@mipassoc.org>; Thu, 8 Feb 2018 16:35:24 -0800
Received: (qmail 98108 invoked from network); 9 Feb 2018 00:34:24 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=17f39.5a7cec90.k1802; bh=EJO4pjwAqi00VUwZBYGlAjaA3iMcXWEj6nZ2GDckmPk=; b=BRqU3MEzm+GWw6SuUrpP60MFLH5bWd/+3Ia0zOQHfOHOV8RaP0pBuJ6zX89Z+x6DefcLkrsJWzmezk43pAZRAb9F0pEw9UG/8sx+N3KuPlZ1WU9wr8Fxet5Xy2FYx4MmSEZPRIsCis+EK6CnE7tzkFqC6iqQh75JAj3sLjWRrGy08Kce+pu9z2yloV1dYMHBxRwsYGQT1/ZUEiQvhSQONFrzg0NpI1hGyc7JT3dDQCtiH2xGieBekxTpyU7Zmhsy
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=17f39.5a7cec90.k1802; bh=EJO4pjwAqi00VUwZBYGlAjaA3iMcXWEj6nZ2GDckmPk=; b=eRkVNGWiqLrF4DwQcKL/MzCWLaXNQRdciMI89WVCtI1J9NwlQMKQETwlHVvJzewSJJS1YW5Fu35I5YukNr1EssY8OJaV4DsBBcFBTpcdH0dsEjIQU7MNpx4u/xGNImP7f9ezmfsQUDrWaRQwya5w+yW0oaHjBNYez10OzLabz/TfQDe0/I6BNpdb6WyeLavrVPHjoR7FxeZDZpstW9CbqzZDaVDq36x4FAY1T1Jev4OXiLfqiuOs3SxAo+sELeiU
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 09 Feb 2018 00:34:24 -0000
Received: by ary.qy (Postfix, from userid 501) id 341851A7363F; Thu, 8 Feb 2018 19:34:23 -0500 (EST)
Date: Thu, 08 Feb 2018 19:34:23 -0500
Message-Id: <20180209003424.341851A7363F@ary.qy>
From: John Levine <johnl@taugh.com>
To: ietf-dkim@mipassoc.org
In-Reply-To: <20180208203207.26575.qmail@f3-external.bushwire.net>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Subject: Re: [ietf-dkim] versions, Where is the formal definition of DKIM-Signature?
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim/>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: ietf-dkim-bounces@mipassoc.org
Sender: ietf-dkim <ietf-dkim-bounces@mipassoc.org>

In article <20180208203207.26575.qmail@f3-external.bushwire.net> you write:
>After all, what are most senders going to do? They will not want their
>signatures to be suddenly unrecognized by 99% of the planet so they'll continue
>to generate a v=1 header and they will also want to reap the bennies of your
>fantastic SpamAssassin feature so they'll additionally generate a v=2 header.

In my application, the feature that requires v=2 is double signing,
i.e. this signature is valid only if there's also a signature from X.  It
was intended as a workaround for the DMARC mailing list problem

The idea is that in addition to your regular v=1 signature, you'd also
put a weak v=2 signature that requires re-signing by the mailing list.
If you don't use conditional signing (or something else subsequently
added that depends on v=2 semantics), then v=1 signatures are fine
forever.

The reason to make then both DKIM-Signature headers is that there is
code, some of which I've written, that looks for DKIM-Signature
headers in a message and calls a DKIM verifier library if it sees
them.  DKIM is slow, do you don't want to waste time verifying
messages with nothing to verify.  If you don't change the
DKIM-Signature header, all of this code keeps working when you upgrade
your DKIM library.  If you invent a new header, it doesn't.

>The end result is two DKIM-Signature headers with different versions for decades
>to come. This will no doubt tweak some receiver is a negative way.

Only if their validators are broken.  I realize that's likely to be
the case now and then but I can't feel too sorry for them.

R's,
John
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html

v2.23.0 | Report a Bug | By Email