Re: Strict canonicalization considered harmful

From: Alessandro Vesely <>
Date: Sat, 06 Dec 2014 15:27:08 +0100

On Sat 06/Dec/2014 00:43:51 +0100 Murray S. Kucherawy wrote:
> On Fri, 5 Dec 2014, Alessandro Vesely wrote:
>> a user reported problems with a long (us-ascii) From:, so I tried myself. My
>> first attempt went ok, but then I noted he used simple/simple rather than
>> relaxed/relaxed. So I temporarily changed my settings. This time I failed too.
>> I sent an empty message to each of the remailers in opendkim-README:
>> In addition, I tried Gmail, Yahoo!, and the following three:
>> Results: bounced, the last two succeeded, the
>> rest failed. To be more precise, applemaildev failed on an empty message like
>> the one below; however, it succeeded when the body contained some text. The
>> other checkers manage to munge the From: line before verification, so they
>> cannot succeed.
> is probably running a pretty old version of OpenDKIM by
> now (though I haven't checked). The always runs the latest code.
> No idea about the rest.

Blackops and sendmail tried to validate messages whose headers respectively
contained the following fields:
From: "Display phrase of 51, total line length line of 76" <>
From: "Display phrase of 51, total line length line of 76" <>
(those two apparently identical fields came back from those two validators.)

The corresponding field in a bcc to myself was:
From: "Display phrase of 51, total line length line of 76" <>

I took the length of 76 from the bug report. I think the user noticed the
signature breakage and tried various lengths until he reproduced the bug. He
ascribed it to zdkimfilter, with good reason, and reported it to me. I wanted
to find a different validator to prove that the signature was good, but who am
I to assert that my program is correct while all validators in the world say
the opposite? Maybe you could try that, since it's you who wrote the RFC, but
I wouldn't bet on it nonetheless.

> However, I just sent an empty message (using alpine as the MUA) through
> to and it came back fine.

What length did you try?

> I'm not sure if your results mean DKIM validators are buggy, or a lot of
> infrastructure monkeys with empty messages, or both, or something else.

Buggy validators is the most relevant point.

> It would be interesting to know what results you get for simple/relaxed and
> relaxed/simple as that would give us some hints about whether it's a header
> problem or a body problem. I would put my money on the latter (though not very
> much of it).

Not to cash your money in, but body was empty.

Received on Sat Dec 06 2014 - 14:27:21 PST

This archive was generated by hypermail 2.3.0 : Sat Dec 06 2014 - 14:36:01 PST