[ietf-dkim] Proposal for specifying syntax and semantics for
multiple signatures
Stephen Farrell
stephen.farrell at cs.tcd.ie
Tue Apr 4 10:14:40 PDT 2006
Doug,
Douglas Otis wrote:
>
> On Apr 4, 2006, at 8:44 AM, Dave Crocker wrote:
>> Douglas Otis wrote:
>>>> Sorry, I still don't understand what the purpose or impact of this
>>>> attack is. Can you explain?
>>>
>>> An attack may be enabled by replaying a message compromised due to a
>>> weak hash, key, or canonicalization algorithm.
>>
>>
>> You didn't answer his question (or, by derivation, mine.)
>
> DKIM can establish a trust relationship between the signing-domain and
> the recipient. Being able to exploit that trust relationship can be
> used to both defraud the recipient, and damage the trust that might have
> been established by the signing-domain. If there is an exploit that
> becomes a problem, both parties should be able to quickly upgrade and
> find protection.
>
> The message may have been a message a financial institution asking to
> check the account and offering a helpful login link. The recipient
> might trust this link when lead to understand this domain signs their
> messages and that their MDA/MUA places non-compliant messages into their
> spam folder.
Nor can I see what this has to do with removing one of a bunch of
signatures.
Maybe we should move on and you can raise the replay issue again
later (I bet you will, eh:-)
S.
More information about the ietf-dkim
mailing list