Re: What the verifier can do

At 8:49 AM -0400 4/30/06, Tony Hansen wrote:
> Paul Hoffman wrote:
>  > It is up to the verifier to decide how much effort after the first
> >  attempt it wants to do. The cost to the verifier is a doing multiple
> >  hashes, not doing multiple signature validations.
>
> Ummm, we don't currently run a hash of the headers, just the body.

Umm, yes we do. See section 3.7:
   In hash step 2, the signer or verifier MUST pass the following to the
   hash algorithm in the indicated order.

Digital signature algorithms almost always encrypt a hash of the 
data, not the data itself, because the encryption and decryption 
steps are so expensive.

> We
> currently do the signature validation based on the actual headers, the
> body hash, and the dkim-signature. So doing such a verification *would*
> require multiple signature validations.

A verifier using heuristics (not specified in the spec) would do the following:

1) Look at the hash in the signature.

2) Marshall the hash as specified in dkim-base.

3) Perform the hash function. See if the result is the same as the 
one from step 1.
3a) If yes, go to step 5.
3b) If no, go to step 4.

4) Modify the verifier's internal view of the message in some 
heuristic way and marshall the hash. Go to step 3.

5) Check that the signature over the hash in the message verifies.

Again, steps 3a and 4 should not be in the base spec, but they should 
also not be prohibited by the base spec.

> It's been suggested that we adopt another tack, and use a hash of the
> headers as well as a hash of the body. So the actual signature
> validation would be on two hashes along with the rest of the
> dkim-signature header field.
>
> This particular suggestion hasn't received any traction as yet.

Nor should it. The header format in base-01 is fine for the 
cryptography involved.