Re: Rejected messages from the mailing list

From: Rolf E. Sonneveld <R.E.Sonneveld_at_sonnection.nl>
Date: Mon, 02 Aug 2010 22:52:36 +0200

Hi, Murray,

On 08/02/2010 09:18 PM, Murray S. Kucherawy wrote:
> On Mon, 2 Aug 2010, Alessandro Vesely wrote:
>> When rewriting, the odds that quotes around tokens in Content-Type
>> may be altered is 50%. Wouldn't it be more robust to avoid signing
>> that field, given current canonicalization capabilities?
>
> Section 5.5 of the DKIM RFC lists Content-Type in its SHOULD list.
>
> If you have data that back up the 50% claim, you might want to post
> that to ietf-dkim. As we move DKIM toward draft standard, maybe
> that's evidence that those fields should be removed from that list.
> The counter-argument though will be one of security.
>
> Or if the 50% claim is all addition or removal of quotes, perhaps
> that's useful input for a more robust header canonicalization scheme.

Alessandro earlier proposed a new canonicalization scheme, in response
to a problem I mentioned on the opendkim development list and which was
brought by you to this list under the subject "DKIM vs. MIME". We
probably have no statistics on this problem, but apart from the Courier
thing there was another problem, asking for a more relaxed treating of
some MIME fileds. As MIME requires a MUA to treat content-type and other
MIME fields case-insensitive we'd probably add a canonicalization scheme
to support this. I don't think there's any security risk in treating
Content-Type and content-type and CoNtEnT-tYpE the same. And as long as
the MIME parameter _values_ are standardized there's no problem with
them too, IMHO.

So +1 for a new canonicalization scheme.

/rolf
Received on Mon Aug 02 2010 - 20:52:52 PST