On 08/02/2010 10:52 PM, Rolf E. Sonneveld wrote:
> Hi, Murray,
>
> On 08/02/2010 09:18 PM, Murray S. Kucherawy wrote:
>> On Mon, 2 Aug 2010, Alessandro Vesely wrote:
>>> When rewriting, the odds that quotes around tokens in Content-Type
>>> may be altered is 50%. Wouldn't it be more robust to avoid signing
>>> that field, given current canonicalization capabilities?
>>
>> Section 5.5 of the DKIM RFC lists Content-Type in its SHOULD list.
>>
>> If you have data that back up the 50% claim, you might want to post
>> that to ietf-dkim. As we move DKIM toward draft standard, maybe
>> that's evidence that those fields should be removed from that list.
>> The counter-argument though will be one of security.
>>
>> Or if the 50% claim is all addition or removal of quotes, perhaps
>> that's useful input for a more robust header canonicalization scheme.
>
> Alessandro earlier proposed a new canonicalization scheme, in response
> to a problem I mentioned on the opendkim development list and which
> was brought by you to this list under the subject "DKIM vs. MIME".
I'm sorry: you brought it to the ietf-dkim list under that Subject (I
thought I was replying to an ietf-dkim message).
> We probably have no statistics on this problem, but apart from the
> Courier thing there was another problem, asking for a more relaxed
> treating of some MIME fileds. As MIME requires a MUA to treat
> content-type and other MIME fields case-insensitive we'd probably add
> a canonicalization scheme to support this. I don't think there's any
> security risk in treating Content-Type and content-type and
> CoNtEnT-tYpE the same. And as long as the MIME parameter _values_ are
> standardized there's no problem with them too, IMHO.
>
> So +1 for a new canonicalization scheme.
/rolf
Received on Mon Aug 02 2010 - 21:04:02 PST
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tue Aug 03 2010 - 01:50:00 PST