[ietf-dkim] DKIM SSP: Security vulnerability when SSP record
doesnot exist?
Arvel Hathcock
arvel at altn.com
Wed Aug 10 07:53:37 PDT 2005
What about DNS connectivity problems which do come up from time to time?
Suppose you get an unsigned message and DNS lookups fail for whatever
transient reason. If you change the current default policy you'd end up
treating as suspicious every message that arrives during the time DNS was
messed up.
--
Arvel
----- Original Message -----
From: "Earl Hood" <earl at earlhood.com>
To: <ietf-dkim at mipassoc.org>
Sent: Tuesday, August 09, 2005 7:18 PM
Subject: [ietf-dkim] DKIM SSP: Security vulnerability when SSP record
doesnot exist?
> In the DKIM SSP draft, the following is stated:
>
> If the Sender Signing Policy record does not exist, verifier systems
> MUST assume that some messages from this entity are not signed and
> the message SHOULD NOT be considered to be Suspicious.
>
> I'm wondering if this a safe policy to assert, especially in the
> context of past SSP discussions on ietf-mailsig where the SSP may
> need to be examined always, and not just for invalid signatures.
>
> Why is it not safe? Because a malicious domain can send out messages
> with forged rfc2822.From addresses where the domain portion does not
> have any SSP defined. Therefore, when a DKIM verifier checks the
> SSP for rfc2822.From, the message would not be considered suspicious
> since no SSP record is available.
>
> IMHO, if no SSP records is defined for the OA, then messages from
> the OA must be considered to never be signed, and any signed message
> should be considered suspicious.
>
> --ewh
> _______________________________________________
> ietf-dkim mailing list
> ietf-dkim at mipassoc.org
> http://mipassoc.org/mailman/listinfo/ietf-dkim
>
>
More information about the ietf-dkim
mailing list