[ietf-dkim] DKIM Threat Assessment v0.02 (very rough draft)
Earl Hood
earl at earlhood.com
Tue Aug 9 19:36:51 PDT 2005
On August 9, 2005 at 17:11, Michael Thomas wrote:
> > "Yahoo! DomainKeys has confirmed that this message was sent by
> > *verified-domain*."
>
> So your users all understand that "verified-domain" means
> that means From: *@example.com instead of From: user at example.com
> is what's really believable? Somehow I'm guessing they aren't
> going to make that distinction, even if that's technically true.
This is not accurate. Your text implies rfc2822.From and currently,
DKIM does not verify that, directly. I.e. The domain portion
of the rfc2822.From address can be completely different from
the signing domain.
(Note, I'm inclined to agree that end-users may not understand what
is being indicated, and any MUA-based support will need to consider
how verification feedback is displayed very carefully.)
In the example Yahoo message above, "*verified-domain*" may not
match the domain in rfc2822.From.
As DKIM SSP is currently defined, this allows malicious domains
to forge the rfc2822.From and still pass DKIM verification. This
should be addressed in the next set of drafts, but we'll have to
wait when they come out to know for sure.
(See past threads about spoofing and SSP on
ietf-mailsig. A search for "spoofing or SSP" at
<http://www.mhonarc.org/archive/html/ietf-mailsig/> will give you
plenty of hits.)
--ewh
More information about the ietf-dkim
mailing list