RE: opendkim body hash did not verify problem

From: Dino Ciuffetti <dino_at_tuxweb.it>
Date: Thu, 22 Apr 2010 22:07:02 +0200 (CEST)

>> 1) the header called "MIME-Version" become "Mime-Version" and it also
change position
>
> "relaxed" header canonicalization would tolerate the case change, and
DKIM is not affected by header position changes. "simple" header
> canonicalization though would fail because of the case change. Did you
try "relaxed" in your tests?

If I'm not wrong I cannot chose canonicalization method when I'm verifying
because it's the signer that can chose it (I'm missing something?), and it
appears to me that "gmail.com" (the signer in my case) is using
relaxed/relaxed

>> 2) the header called "Content-Type" change its value some way and its
position
>
> The value change might cause a problem even for "relaxed", depending on
what the change was. If it was simply adding or removing spaces (e.g.
re-wrapping the value) it should still work. But again, position
changes don't affect DKIM.

ok for the position change. You clarified that to me, thanks!

>> 3) a non existent header called "Content-Transfer-Encoding" get added
by courier

> New header fields generally don't affect DKIM unless the signer arranged
for verification to fail if that header field gets added. That is, the
signer could have specified "this signature must fail if
> Content-Transfer-Encoding gets added", in which case the verifier was
acting correctly by failing the signature.

clear.

I'll do some more tests on my production MTAs.
Thank you! Dino.


-- 
Dino Ciuffetti
Linux System Administrator and Architect
TuxWeb S.r.l. - http://www.tuxweb.it/
Received on Thu Apr 22 2010 - 20:56:10 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:19:47 PST