On 18 Aug 2025, at 21:50, Phillip Tao <[email protected]> wrote: > >> The >> headers for the unobtrusive signatures are inside a MIME part so they're >> inside the >> message body and do not get canonicalized by DKIM. > > What led to this design decision? Is there a reason that DKIM > canonicalization should _not_ be applied to the headers for unobtrusive > signatures? Or was that just an incidental result of repeating the headers > inside the MIME part so that they can be signed at all? > > From the summary Kai linked, it _seems_ like the latter.
It was an incidental result, and can be attributed to our lack of familiarity with DKIM canonicalization. We were attempting to balance the (perhaps incompatible) requirements of robustness against innocent header mangling, and reliable detection of malicious header mangling. If header mangling was solely the result of innocent changes such as DKIM canonicalization, being able to recover the original outer header at e2e-verification time would be very useful. Or it may be the result of a remailer (such as a mailing list) that edits the Subject line, in which case automatically recovering the original is not possible in general, but it might still be possible to check that the inner Subject is a substring of the outer (for example). [[As a more detailed example, a system may wish to produce an index of a mailbox without the expense of checking the e2e signatures over all messages first. On the other hand, an MUA should neither display any e2e-unverified headers in the message view, nor should it present the message as verified if there is a (significant?) mismatch between the unverified headers displayed in the index and the e2e-verified headers displayed in the message view.]] If we e2e-signed over outer headers only, this would guarantee breakage of the e2e signature by many kinds of innocent change, such as mailing list Subject prefixes. If we e2e-signed over *all* outer headers, as has been suggested for DKIM2, the e2e signature would almost certainly be broken by any mailing list that modified From, Sender etc. So long as this breakage was silent, there is no vulnerability introduced, but it would be preferable if the e2e signature could be more robust. We have all had bad experiences with MTAs mangling headers (dkg and I also have recent experience of MTAs mangling *bodies*). DKIM canonicalisation is one possible solution, putting headers inside a body part is another. The advantage of putting the headers inside a body part is that it can be done entirely by MUAs, without waiting for MTAs to catch up. On the other hand, it would still be nice to share as much spec betwen DKIM and unobtrusive signatures as possible. If the generating and receiving MUAs performed DKIM canonicalization on all headers before generating or checking signatures, this check might be robust against an additional class of innocent changes in transit. A
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
