[ietf-dkim] I-D Action:draft-ietf-dkim-ssp-00.txt
chl at clerew.man.ac.uk
Wed Jul 11 03:17:54 PDT 2007
On Wed, 11 Jul 2007 00:37:57 +0100, Douglas Otis <dotis at mail-abuse.org>
> On Jul 10, 2007, at 2:15 PM, Hallam-Baker, Phillip wrote:
>> I would like to discuss the downgrade attack certainly. We have to
>> address the attack either by solving it or by explaining it in the
>> security considerations.
>> Doug's statement above is not correct though. A recipient ONLY looks at
>> the policy record if it does not find an acceptable signature record.
>> That means:
Eh? A recipient can look at a policy record whenever he sees fit to do so,
and for whatever reason.
> E) The message has a signature by a Third-Party domain.
F) The signer seemed to be unrelated to the From/Sender/Whatever headers;
G) The signature covered an "unusual" selection of headers;
H) There were several signatures, of which some passed and some failed;
I) Umpteen other reasons why it looked suspicious.
A Policy Record might well clear up some (probably not all) of such cases.
Moreover, experience will throw up new scams that the Bad Guys will
invent, and so it may become necessary to add new kinds of information to
Policy records that we have not even thought of yet. So, to that extent,
their notation needs to be extensible.
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Email: chl at clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
More information about the ietf-dkim