IETF Logo Mail Archive

Re: [ietf-dkim] RFC4871 interoperability conflict over "h= " tag

SM <sm@resistor.net> Wed, 12 January 2011 23:47 UTC

Return-Path: <ietf-dkim-bounces@mipassoc.org>
X-Original-To: ietfarch-ietf-dkim-archive@core3.amsl.com
Delivered-To: ietfarch-ietf-dkim-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BEA073A67D7 for <ietfarch-ietf-dkim-archive@core3.amsl.com>; Wed, 12 Jan 2011 15:47:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.077
X-Spam-Level:
X-Spam-Status: No, score=-106.077 tagged_above=-999 required=5 tests=[AWL=2.522, BAYES_00=-2.599, GB_I_LETTER=-2, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oi9bqMbDZkJB for <ietfarch-ietf-dkim-archive@core3.amsl.com>; Wed, 12 Jan 2011 15:47:27 -0800 (PST)
Received: from sbh17.songbird.com (sbh17.songbird.com [72.52.113.17]) by core3.amsl.com (Postfix) with ESMTP id B6E933A67D4 for <ietf-dkim-archive@ietf.org>; Wed, 12 Jan 2011 15:47:27 -0800 (PST)
Received: from sbh17.songbird.com (sbh17.songbird.com [127.0.0.1]) by sbh17.songbird.com (8.13.8/8.13.8) with ESMTP id p0CNmKRx028211; Wed, 12 Jan 2011 15:48:27 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=mipassoc.org; s=k00001; t=1294876113; bh=TgVZ5rxiw3E+sMNjcGmxzUHhSuo=; h=Message-Id:Date:To: From:In-Reply-To:References:Mime-Version:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: Content-Type:Content-Transfer-Encoding:Sender; b=CVOCvz/sXe7EOHqnL 6ozGdntK2/xjIICOQxDpseHDFgaqYmEBfAO2tqpkJthZYTy7Pt3kkURS7Aj2ktwcOzm kzz815Wbn9B7gd7YXS2XklfxxyjKgr1mfGQAAUppu2dgAQmCreRyaCB5MNMI9vg+GA5 Y3HbmD0bHykzw1gnXCVw=
Received: from ns1.qubic.net (ns1.qubic.net [208.69.177.116]) by sbh17.songbird.com (8.13.8/8.13.8) with ESMTP id p0CNmDCY028205 for <ietf-dkim@mipassoc.org>; Wed, 12 Jan 2011 15:48:18 -0800
Authentication-Results: sbh17.songbird.com; dkim=hardfail (verification failed) header.i=@opendkim.org
Received: from SUBMAN.resistor.net ([10.0.0.1]) (authenticated bits=0) by ns1.qubic.net (8.14.5.Alpha0/8.14.5.Alpha0) with ESMTP id p0CNm1AE025576 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 12 Jan 2011 15:48:08 -0800 (PST)
Message-Id: <6.2.5.6.2.20110112150543.076f2928@resistor.net>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Wed, 12 Jan 2011 15:31:09 -0800
To: "Murray S. Kucherawy" <msk@cloudmark.com>
From: SM <sm@resistor.net>
In-Reply-To: <F5833273385BB34F99288B3648C4F06F1341E73DF4@EXCH-C2.corp.cl oudmark.com>
References: <2160FE85-AEB4-48F5-867F-A225B66FDFC4@paypal-inc.com> <F5833273385BB34F99288B3648C4F06F1341E73DCD@EXCH-C2.corp.cloudmark.com> <58958683-44AA-4DE5-A2BD-4BA4732A6857@paypal-inc.com> <F5833273385BB34F99288B3648C4F06F1341E73DF4@EXCH-C2.corp.cloudmark.com>
Mime-Version: 1.0
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0 (sbh17.songbird.com [127.0.0.1]); Wed, 12 Jan 2011 15:48:33 -0800 (PST)
X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (sbh17.songbird.com [72.52.113.70]); Wed, 12 Jan 2011 15:48:18 -0800 (PST)
Cc: ietf-dkim@mipassoc.org
Subject: Re: [ietf-dkim] RFC4871 interoperability conflict over "h= " tag
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-dkim-bounces@mipassoc.org
Errors-To: ietf-dkim-bounces@mipassoc.org

Hi Murray,
At 11:24 12-01-11, Murray S. Kucherawy wrote:
>If an "a=rsa-sha1" message matching a "h=sha1" key fails for reasons 
>other than the usual things that cause a signature to fail (i.e. 
>alteration in transit or mismatched keys), I'd say the verifier is 
>doing something that looks a lot like breakage to me.

My reading of Brett's message is that the specification is 
unclear.  There is the following informative note in Section 3.3:

       INFORMATIVE NOTE: Although sha256 is strongly encouraged, some
       senders of low-security messages (such as routine newsletters) may
       prefer to use sha1 because of reduced CPU requirements to compute
       a sha1 hash.  In general, sha256 should always be used whenever
       possible.

You mentioned implementation and policy in a previous message.  The 
first paragraph of Section 3.3 describes the software requirements 
for the DKIM implementation.  The second paragraph describes how the 
software may be used.  I'll use Murray's description and call it 
policy.  The better fit may be "operations" and how to ensure interoperability.

According to Section 4.1.2 of draft-ietf-dkim-implementation-report-05:

   '50.5% of signatures used "rsa-sha1", while the  balance
    used "rsa-sha256".'
If receivers want to reinterpret the requirements, they may see more 
"DKIM failures".

Regards,
-sm 

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

v2.23.0 | Report a Bug | By Email