[ietf-dkim] Fwd: Re: New Issue: protecting a domain name vs. protecting a domain tree

[Charles Lindsey]

On Wed, 09 Apr 2008 19:27:27 +0100, Dave Crocker <dhc at dcrocker.net> wrote:

> Eric Allman wrote:
>> Dave, I'm not understanding how the algorithm can work if you omit step
>> 2 from section 4.2.2.

> The attack that you describe requires using some name other than the one  
> that is
> listed.  The single, specific name that is listed is, indeed,  
> "protected".

Sure, if a phisher includes
      From: info at ebay.com
then SSP/DKIM will catch him.

If the phisher includes
     From: info at ezbay.com
then we know that SSP/DKIM cannot catch him, and there is not much we can
do about that other than to advise phishees to read From headers _very_
carefully.

But if the phsher includes
      From: info at mailout.ebay.com
where the domain mailout.ebay.com does not exist, then it needs to be
caught somehow, since the phishee will look at it _very_ carefully and
will find it perfectly reasonable (as indeed it is).

So if we cannot arrange that mailout.ebay.com is not caught by some
sub-domain mechanism within SSP, then we at leaast need to say, perhaps
non-normatively:

"Although it is impossible to obtain an SSP record for a non-existant
sub-domain of a protected domain, verifiers might well choose to to
reject/discard/whatever messages with non-existent domains in From headers
as a matter of policy quite separate from their policies arising from
SSP/DKIM."



-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5