--On Wednesday, October 24, 2012 1:48 PM -0700 "Murray S. Kucherawy"
<msk_at_opendkim.org> wrote:
> Among the major changes in this release:
>
> o SECURITY: The library will now decline to generate a signature, or pass
> even a valid signature, if the signing key is compirsed of too few
> bits, thus being insecure. The default is 1024. This can be
> controlled through the API, and the setting can also be adjusted in the
> filter via the new "MinimumKeyBits" setting.
Hi Murray,
What about this part of the CVE (<
http://www.kb.cert.org/vuls/id/268267>)?
Does OpenDKIM already correctly not verify testing mode messages? I'm
going to guess yes, but I didn't see that explicitly stated in the docs.
Further, the documentation about:
On-BadSignature (string)
Selects the action to be taken when a signature fails to validate. Possible
values (with abbreviated forms in parentheses): accept (a) accept the
message; discard (d) discard the message; quarantine (q) quarantine the
message; reject (r) reject the message; tempfail (t) temp-fail the message.
The default is accept. Note that the "t" (testing) flag in a DKIM key does
not alter this behaviour; even keys marked as test keys whose signatures
fail will still be subjected to the selected action.
seems to imply that perhaps OpenDKIM treats testing keys normally?
>From the CVE:
1) CWE-347: Improper Verification of Cryptographic Signature: DKIM
information is conveyed in an email header called a DKIM-Signature header
field. A Signer can indicate that a domain is testing DKIM by setting the
DKIM Selector Flag (t=) flag to t=y. Some verifiers accept DKIM messages in
testing mode when the messages should be treated as if they were not DKIM
signed. From RFC 6376:
t= Flags, represented as a colon-separated list of names (plain-
text; OPTIONAL, default is no flags set). Unrecognized flags MUST
be ignored. The defined flags are as follows:
y This domain is testing DKIM. Verifiers MUST NOT treat messages
from Signers in testing mode differently from unsigned email,
even should the signature fail to verify.
Thanks,
Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
Received on Fri Oct 26 2012 - 23:47:52 PST