IETF Logo Mail Archive

Re: [Ietf-dkim] Question about lone CR / LF

"Murray S. Kucherawy" <superuser@gmail.com> Tue, 06 February 2024 00:57 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3583CC1519B0 for <ietf-dkim@ietfa.amsl.com>; Mon, 5 Feb 2024 16:57:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tPaQvHojwZcF for <ietf-dkim@ietfa.amsl.com>; Mon, 5 Feb 2024 16:57:27 -0800 (PST)
Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF04EC1519AE for <ietf-dkim@ietf.org>; Mon, 5 Feb 2024 16:57:22 -0800 (PST)
Received: by mail-ej1-x631.google.com with SMTP id a640c23a62f3a-a28cfca3c45so165241366b.1 for <ietf-dkim@ietf.org>; Mon, 05 Feb 2024 16:57:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1707181041; x=1707785841; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=BXWzsi1ru6UnxEbVZOpON6xAJDFGzvNy1yLRlGYnorg=; b=DIPN2EbDMcohnXdMdZSBIWorzLOniV/QjdkVImNElH6sdW/HPikzYA0xRv/Mp/J1Xr dNxQ9gcOJykiqQYzD5BMmyJYA73y+FXV9VvwrzjIYMIX0T5uehQHqJoJatNKWH3lkRL6 VGiQzwWTXOiHItJZOprBYFG0FobpE9seRE9U1OcNLABLPlGd0V5o0L3gXvY0Y04IhFvX 7Yh49ehUvITS9TxmU0hwg+dlRx/ftg4MeMim/O8dEgAdIYB2F8ew0PamPhQo1oQAgnJ5 zb8bzFi300Vb3e/p0E3EsPqEyAjsr78CfA377W0pXdXYaeinJ70irmTQ/3oh4kFvFGEf 2pUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707181041; x=1707785841; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=BXWzsi1ru6UnxEbVZOpON6xAJDFGzvNy1yLRlGYnorg=; b=TVDJhJtfpoOf7CkwLgqhNy2E7g1xqBSEnhHPCyQuUoQ7Xt8igz4yKq5XMSNFrBDmrR BysmEThJfmdJY+YOA2LSmOTe0BUlV751QoT76/yuZtRaxV+XMB5ED7Aavy4rZr3feDi2 ud1soAHgl+RJvck51cKtl/cmElOP2weTmvNEbFWV4ZDE81jnClaeJ/s35GUpgyD0Nd6E NhZ6M/hjGy7kHJXaWzn8RHLxgMmD4jQ0nnzgQrO3fRQu8ZOuDywpDjE1czLarPaMUbAf uOGsNALGRbyE5YQLhUqKHNxQ3XQzbfnveqjen3dSvmFFnhT+skhd2QAae7C343Up7Oxi dnTw==
X-Gm-Message-State: AOJu0YxrCMrKQ+5xCqgI2QdP3k33gvFax/QySbA9iXf2OCHEbdiFs0xv UzShYtiUmDQRSlXpD9g4Pd697eHODK6yDrxTix+dbydJ8XTaTDFvUMBF0dLjBL7lzzJ9Pu2vfhe cw2rZfi+1X3QfriuUov6Si4R31R+UFERTzf4=
X-Google-Smtp-Source: AGHT+IHxq7pTbO7xPyDMHWAERI7UuHV0mvb1jv53DcgJ8Ru69f/Oiw9P8qXJRBCOE/U62loZPd+aAUQTl8DgjXCknU4=
X-Received: by 2002:a17:906:a419:b0:a37:6228:b9ad with SMTP id l25-20020a170906a41900b00a376228b9admr589872ejz.3.1707181040434; Mon, 05 Feb 2024 16:57:20 -0800 (PST)
MIME-Version: 1.0
References: <20240202043446.AAF26820F0AD@ary.qy> <f9c11d1a-7799-4946-b95e-7c9c682d60ba@dcrocker.net> <CAL0qLwZyXV11ZeULceA5sQbStky4ashJgBVmr_=8vaKZkykSiQ@mail.gmail.com> <663ff8e7-4a6f-4ce4-965f-52bdfe8bb090@bbiw.net>
In-Reply-To: <663ff8e7-4a6f-4ce4-965f-52bdfe8bb090@bbiw.net>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Mon, 05 Feb 2024 16:57:06 -0800
Message-ID: <CAL0qLwbMPTZh2wKD+Fg-O_GHTHEfAA-MGYzdk1zwHyhVzEzwtg@mail.gmail.com>
To: Dave Crocker <dcrocker@bbiw.net>
Cc: ietf-dkim@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007b82950610ac0f44"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/qYxk25uWgzjKFkH8MotWiIZo0SQ>
Subject: Re: [Ietf-dkim] Question about lone CR / LF
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2024 00:57:28 -0000

On Mon, Feb 5, 2024 at 8:50 AM Dave Crocker <dcrocker@bbiw.net> wrote:

> OpenDKIM will not sign a message that fails basic RFC5322 header checks
> (e.g., "From" or "Date" is missing), but will place an
> Authentication-Results field indicating the message is malformed.  At some
> point, though, someone talked me into making it possible to bounce such a
> message in the filter.  I wish I could remember the full context.
>
> So you are enforcing an RFC5322 requirement for From and Date to be
> present, although the DKIM spec only requires signing From.
>
> Why are you doing that?
>
> Imagine RFC5322++ removes the requirement for Date. (In fact I had not
> remembered Date is required, going all the way back to RFC733. sigh.)  That
> requires remembering and changing DKIM code.
>
> I understand the desire to do this extra checking, but not the
> justification for giving in to it, inside DKIM.
>

Yeah, as I said, I wish I could remember.  It's a bit of a contradiction.
My best guess is that something was injecting messages without a Date field
knowing the MTA (sendmail, in this case) would add one.  But this had the
effect of causing the filter to oversign that field, so the MTA adding one
immediately invalidated the signature.  Adding this check avoided that
problem.


> It also allows for specification of things that are likely to be rewritten
> downstream (e.g., address canonicalization), which it can then simulate
> when computing its hashes, in order to make validation of the signature at
> the verifier more likely to succeed.[*]
>
> "likely to be rewritten downstream" is clearly part of local
> implementation design choices.
>

Yes indeed, though in my case I was compensating for an implementation
choice in the MTA to which the filter provides a service, and I don't have
direct control over the MTA's choices.

> While possibly quite reasonable to make for the implementation, they have
> nothing to do with the standards specification, other than to encourage
> writing standards that neither require nor inhibit such choices.
>
Yes, I agree that the specification should follow what I call the "pure"
angle, but also be abstract enough not to constrain implementation to
enable reality.

> (*) Lon ago, Knuth visited UCLA when I was there, and 'structured
> programming' was a hot topic.  He did a presentation to test a perspective
> that he later wrote up.  He observed that fully structured programs,
> without gotos, could sometimes make code /worse/.  He shows some code
> without any gotos that was correct but extremely difficult to read and
> understand.  Then he showed a version, with two loops -- one after the
> other -- and inside each was a goto into the other.  OMG.  But this code
> was clear, concise and easy to understand.
>

Interesting.  Is that online anywhere?

-MSK

v2.23.0 | Report a Bug | By Email