[ietf-dkim] Proposal for new text about multiple header issues
dotis at mail-abuse.org
Mon Oct 25 14:53:14 PDT 2010
On 10/25/10 2:12 PM, Steve Atkins wrote:
> On Oct 25, 2010, at 1:58 PM, Murray S. Kucherawy wrote:
>> Isn't the more interesting attack a signature from some throwaway domain that covered a matching From: but also contained a From: indicating some high-value phish target?
> Not really, no. Signing the From: field means nothing other than that it is the same as when it was sent.
> I can sign mail with d=blighty.com and "From: doolally at ebay.com" without needing to play any games with multiple headers
> The only interesting attack in this entire situation is the ability to take a message signed by a high-reputation domain, so that it'll get delivered to the inbox, and to replace the Subject: (and possibly From:) with your own payload.
Disagree. It could be signed by a large domain that is unlikely
blocked, where the high value domain can then be spoofed because of a
poorly defined DKIM verification process, regardless where the DKIM
verification process happens to be located.
>>>> It's also not specific to MUAs. Filtering agents can be similarly
>>> They can, yes, though I'm not sure that's needed to explain why this
>>> may be a bad thing to allow.
>> Focusing on the MUA case might inadvertently suggest to implementers of other components that this is not a concern for them.
> True. Though it really shouldn't be a significant concern for them, as filtering agents that are DKIM aware (should anyone create such a thing) and have a valid DKIM identity will likely use that in preference to, say, the From: field. And if the filtering agent is not DKIM aware, it's not an issue.
DKIM verification is still DKIM verification regardless where this
process is located. Stop hand waving. This process MUST be correctly
defined to protect the consumers of these results.
More information about the ietf-dkim