Re: Re: What the verifier can do

Paul Hoffman wrote:
> At 8:49 AM -0400 4/30/06, Tony Hansen wrote:
>> Paul Hoffman wrote:
>>  > It is up to the verifier to decide how much effort after the first
>>>  attempt it wants to do. The cost to the verifier is a doing multiple
>>>  hashes, not doing multiple signature validations.
>>
>> Ummm, we don't currently run a hash of the headers, just the body.
> 
> Umm, yes we do. See section 3.7:
>    In hash step 2, the signer or verifier MUST pass the following to the
>    hash algorithm in the indicated order.
> 
> Digital signature algorithms almost always encrypt a hash of the data,
> not the data itself, because the encryption and decryption steps are so
> expensive.
> 
>> We
>> currently do the signature validation based on the actual headers, the
>> body hash, and the dkim-signature. So doing such a verification *would*
>> require multiple signature validations.
> 
> A verifier using heuristics (not specified in the spec) would do the
> following:
> 
> 1) Look at the hash in the signature.

Paul, which hash where? There is no hash in the dkim signature for the
headers, only a hash for the body and the resulting signature.

Now, *if* there were a header hash in the signature, each of your other
steps 2-4 would be accurate. But there isn't, which is why the algorithm is:

   1)   calculate the body hash
   2)   verify the hash of the body
        2a) if desired, apply heuristics to body and repeat from 1
   3)   verify the signature using RSA
        3a) if desired, apply heuristics to headers and repeat from 3

If you're going to apply heuristics to the headers, you can't get away
from recalculating the RSA signature after each application of the
heuristics.

        Tony Hansen
        tony@xxxxxxx

> 2) Marshall the hash as specified in dkim-base.
> 
> 3) Perform the hash function. See if the result is the same as the one
> from step 1.
> 3a) If yes, go to step 5.
> 3b) If no, go to step 4.
>
> 4) Modify the verifier's internal view of the message in some heuristic
> way and marshall the hash. Go to step 3.
> 
> 5) Check that the signature over the hash in the message verifies.
> 
> Again, steps 3a and 4 should not be in the base spec, but they should
> also not be prohibited by the base spec.
> 
>> It's been suggested that we adopt another tack, and use a hash of the
>> headers as well as a hash of the body. So the actual signature
>> validation would be on two hashes along with the rest of the
>> dkim-signature header field.
>>
>> This particular suggestion hasn't received any traction as yet.
> 
> Nor should it. The header format in base-01 is fine for the cryptography
> involved.