[ietf-dkim] detecting header mutations after signing
hsantos at isdg.net
Mon Oct 11 18:23:45 PDT 2010
Dave CROCKER wrote:
> On 10/11/2010 3:05 PM, Wietse Venema wrote:
>> If you believe that sending mail with a valid bad guy signature is
>> an interesting attack on DKIM, then that implies that you're willing
>> to believe mail that is signed by arbitrary strangers.
> But it's not an attack on DKIM.
> It's not really an 'attack' on anything, but the most one could claim is that
> it's an attack on the recipient's reputation data base, or failure to use one.
> The DKIM part is used correctly and works fine. So there's no 'attack'.
Thats "poster framing" material.
I sure hope you are right. After all, President Obama did get by your
defenses on your list.
No Signature, Double From ---> Trapped/rejected by mipassoc.org
DKIM signed Double From ----> Accepted, Resigned by mipassoc.org
So without DKIM, 100% RFC5322 compliant - trapped multiple 5322.From
headers. With DKIM, there is a loophole. Go figure.
Lets hope this DKIM exploit does not become common place and surprises
a bunch of layman operators. At the point, you can say you were aware
Hector Santos, CTO
More information about the ietf-dkim