IETF Logo Mail Archive

Re: [Ietf-dkim] Question about lone CR / LF

Dave Crocker <dcrocker@bbiw.net> Sat, 03 February 2024 20:22 UTC

Return-Path: <dcrocker@bbiw.net>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12F81C14F60B for <ietf-dkim@ietfa.amsl.com>; Sat, 3 Feb 2024 12:22:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.805
X-Spam-Level:
X-Spam-Status: No, score=-2.805 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bbiw.net header.b="XL5Y461b"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="vwWLpzqf"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rxy5a4wuLtgC for <ietf-dkim@ietfa.amsl.com>; Sat, 3 Feb 2024 12:22:00 -0800 (PST)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A188C14F619 for <ietf-dkim@ietf.org>; Sat, 3 Feb 2024 12:22:00 -0800 (PST)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 0CD085C00B1; Sat, 3 Feb 2024 15:21:57 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Sat, 03 Feb 2024 15:21:57 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bbiw.net; h=cc :content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1706991717; x=1707078117; bh=7fAFn+Tef/ +Paf09bYZtt3l42ZIikfOhZJFpSp39g4E=; b=XL5Y461bwPkfQtg27V3mNZC987 8yxev39SWKZbFClWI98/el5SDPOHpbzer/RbWmIOnIAxMTQ/1vb7fydFyACtnwWH irePhiC6x5yM+lGs56pfm+9l/fnAbmUNn3RGTwY1fauz5T4xTvFvz6EUmKbtCzZp K2lRPvv9ZZjbl8HHGQdahq9gMShOqx/qfCBWsVvikNvAK2IscZrjoGKoec3xR9tf Oqr3PPnT7UiSHFp3g5kwUPf64PILMrcvO699s9W/XK7DWInrvK4C0I0phAVfGBEj 5QyALd8emsJGLN9EYgBXbGBdnZhncnXzU8V6yEylLnDf1LidiA6bsS+JSBYg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1706991717; x=1707078117; bh=7fAFn+Tef/+Paf09bYZtt3l42ZIi kfOhZJFpSp39g4E=; b=vwWLpzqfnYYP58uj+Y1LIgxJYvHdbbwaO3P6vYGD4N2V bJ5Q6paTCa2ldCw9wWV9Lk4YX+IX67rYcvgRJ7xEHf85HCD3MtVhM/miPXFJJRg6 0FJbJDiaPHlnkOsY38nlNGfsRdFEemYjV8pkpyz2U/mq9L6v+haBgyL2sx4A8dMP L4lN4CULH7gxGxJoavonIrtV+Bv/uSXvBHa5o5RdLBERxJ3yP5WmkCav1QTXogZ/ sQA/vEkxYnS6siWG4j6J7jftDc9MC9eHyhnhh3/wFzMi4nhBvtW3HnPC7t5weFif hl1wJFfIxbaPJlR5G4XUnhZxkKvauk1RZGB/2M33sQ==
X-ME-Sender: <xms:ZKC-ZVRafS3rKuZZDsB4RY7EjJjjCabdNa_i1cXenkb49jsucErDdQ> <xme:ZKC-ZewJ7WLC3kK5pY6p48l5_7TIs9KhZ2CGaVdIDg7LYoj5jNSClbEXHakd2SgsX Wf59SJ04l_DduAxEA>
X-ME-Received: <xmr:ZKC-Za2Zx9qYBhmoTg-CKwfEEkf_3SrRFD9_1LRxVfL4c6LqDkaw5OkIUwkHVwwOxSx9GrJLCi6PowRjg8EUayo5hCYWVvJTrHVCc8ea>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrfeduiedgudefgecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpegtkfffgggfuffvfhfhohgjsegrtderredtvdejnecuhfhrohhmpeffrghv vgcuvehrohgtkhgvrhcuoegutghrohgtkhgvrhessggsihifrdhnvghtqeenucggtffrrg htthgvrhhnpeeifefhgfegueekvdffiefhhfeuudfgfeevheevffejfeejhedtueevteek keegfeenucffohhmrghinhepsggsihifrdhnvghtnecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomhepuggtrhhotghkvghrsegssghifidrnhgvth
X-ME-Proxy: <xmx:ZKC-ZdBIbXEbreSKp8sSqQZ9pySAy9edlLR6rw73USWGoE7riVwlvw> <xmx:ZKC-Zeik9jZ77v4VsysJ5ugr_ZG73If1QtNLJobMD5xpQXtCNDLo9A> <xmx:ZKC-ZRpD87UUAzlm49IbRiJbOcMLvae2gR2wL_9e17oPOS6YqPqqUg> <xmx:ZaC-ZWJfe_2x3BszL0MQzd_SDjMOQwfiAMzZ9RTqBQwU8i7U5aN5Aw>
Feedback-ID: i16d9478d:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 3 Feb 2024 15:21:56 -0500 (EST)
Content-Type: multipart/alternative; boundary="------------o7dnEu0RU60AOZ0Ezd4IBWcs"
Message-ID: <3fcee3ed-829f-432d-b0a1-87f9d3d1fe00@bbiw.net>
Date: Sat, 03 Feb 2024 12:21:57 -0800
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: John Levine <johnl@taugh.com>, ietf-dkim@ietf.org
References: <20240203201105.1FC79822ABD1@ary.qy>
From: Dave Crocker <dcrocker@bbiw.net>
Organization: Brandenburg InternetWorking
In-Reply-To: <20240203201105.1FC79822ABD1@ary.qy>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/T-bNmtU7gSaCwY98y79CrpviLh4>
Subject: Re: [Ietf-dkim] Question about lone CR / LF
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Feb 2024 20:22:05 -0000

On 2/3/2024 12:11 PM, John Levine wrote:
> It appears that Dave Crocker<dcrocker@bbiw.net>  said:
>>> Any DKIM signer or verifier already has a state machine looking for CR
>>> and LF to do header or body canonicalization.  When the state machine
>>> runs into a bare CR or LF, it has to do something. The only options
>>> are to produce a wrong result, since there is no correct result, or no
>>> result. (As I said in a recent note to Murray, which wrong result is
>>> likely to vary depending on local file details.)  You seem to be
>>> saying that as a matter of principle it should produce a wrong
>>> result.  I'd rather not.
>> The state machine has to process /every/ character.  You are focusing on
>> two that have special DKIM meaning, when occurring together, but that's
>> too narrow.  In practical terms, the state engine is evaluating every
>> character.
> Sorry, I thought it would be obvious that it already has to treat CR
> and LF differently, and it already has special cases for what follows
> CR and (on systems that don't turn CRLF to LF on the way in) what
> precedes LF.

It has to treat CRLF differently.  What is the reason it has to treat 
isolated occurrences of one or the other differently, beyond what I 
noted in my previous message?  What is the DKIM-specific reason?

I keep asking and you keep not responding.

>> In focusing down so narrowly, you've missed the basic point I made:
>> DKIM has no inherent reason to care about these characters' occurring in
>> isolation. ...
> Sigh. Except that it already does. You've made it clear that you
> believe there is a principled reason to produce invalid signatures
> from invalid input. Whatever.

"It already does" is not a reason it needs to.

As for what I believe, please stop distorting what I've said.

d/

ps. You seem to have missed that, in fact, bare CR and bare LF are legal 
in messages.

-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker@mastodon.social

v2.23.0 | Report a Bug | By Email