SM wrote: > Hi Hector, > At 15:23 13-05-2011, Hector Santos wrote: >> I am wondering if anyone else can confirm BODY HASH errors with the >> originating author domain DKIM signature mail submitted to the >> IETF-SMTP fora. > > Yes. It may be an extra line between the message headers and the body.
Visually comparing the sent message versus the one echoed back by the list, that seems to be the case. Checking into this, I see that I discovered this issue back in 2006 and wrote this I-D proposing a new C14N method called STRIP. http://tools.ietf.org/html/draft-santos-dkim-strip-00 Abstract The DKIM base protocol has offers two digital signature canonicalization (cl4n) methods called "relaxed" and "simple" with low reliability and survivability during in-transient operations. This proposal describes a new STRIP canonicalization algorithm and method to increase the reliability and survivability of the digital signature. In additional, the proposal describe new original body hashing requirements to help secure STRIP c14n security concerns found in a similar but deprecated NOFWS c14n method. From the 1.0 introduction: .... This documents introduces the new STRIP c14n which is similar to RELAXED but with the added logic to remove all CR and LF characters from the hashing engine. The STRIP c14n is very similar to the NOFWS c14n method used by Yahoo's experimental DomainKeys protocol and was once considered for usage for the DKIM protocol. However, since it was determined the NOFWS c14n exhibited some replay security threats, it is expected for STRIP c14n to also inherent the same security concerns. The security concern stated in the final sentence were addressed in this proposal. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html