On Fri, Jul 27, 2018 at 08:24 Murray S. Kucherawy <superu...@gmail.com> wrote:
> covering the ARC header fields in the failing chain, all the data in the >> failed chain can be modified as it is not covered under the latest >> signature. >> > > I think it's weird that the body of content that gets hashed by the sealer > in this case varies from what would normally happen. A verifier might have > to try two different verification algorithms if, for example, it doesn't > determine that the chain is structurally invalid. > > If I receive a chain that was apparently valid at the last sealer and > determine that it is no longer so, could we simply decline to re-seal it at > all? > > -MSK > The verification algorithm is straightforward. If you receive a chain that ends with cv=fail stop your evaluation, you’re done. There’s no separate validation path here. Additionally, I worry about the security implications of passing along a known bad chain without terminating it. Right now, worst case, one intermediary needs to evaluate and terminate a maliciously formed chain. If it’s simply not Sealed, then everyone in the path must perform the evaluation. I don’t know what new vectors this opens up, but I could foresee some cascading issues.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
