2003-09-25T19:46:36 Earl Hood: > On September 25, 2003 at 11:30, Bennett Todd wrote: > > There's a third method, which I think is rather better than either > > of those. [canonicalize] > > You cannot do this for signed messages, therefore, you still > need to either decode in all possible ways or drop the message > (or the offending entity). Or break the signature in the canonicalization. Good catch. Lots of work will be needed to really completely solve this, and different solutions will fit different security stances. I think in terms of the security stances for corporations, with particular focus on financial services firms. A very, very different answer would be in order for e.g. an ISP. For the kind of companies I work in, the very best solution would (in my opinion!) be a canonicalizer that was smart enough to hold off actually committing any rewrites until it finds something that's ambiguous or dangerous, and that leaves notes describing what it did and why. Then when people get their mail whose sigs don't check, they get an explanation of what needs fixing. Depending on the user they may need to call a helpdesk to interpret the note and help them, or their correspondent, to reconfig to fix the problem, but that's as may be. Also, in this sort of setting at least, you need very different handling of inbound -vs- outbound messages. Inbound messages get repaired --- or broken, in the case of digital sigs --- and then sent on to their intended internal recipient. Outbound traffic gets canonicalized if necessary, with commentary, gets malware replaced with "evil badness used to be here, I yanked it", then gets bounced back to the internal sender. -Bennett
Attachment:
pgpGO5kSRqCqv.pgp
Description: PGP signature