[ietf-dkim] Proposal for new text about multiple header issues

[John R. Levine]

>> Isn't the more interesting attack a signature from some throwaway domain that covered a matching From: but also contained a From: indicating some high-value phish target?
>
> Not really, no. Signing the From: field means nothing other than that it is the same as when it was sent.
>
> I can sign mail with d=blighty.com and "From: doolally at ebay.com" without needing to play any games with multiple headers

Let's say your message has two From lines, one from bob at blurfle.net, one 
from security at ebay.com, and you sign the first with d=blurfle.net. 
Perhaps blurfle.net even publishes discardable ADSP.

My concern would be that filtering agents might notice the blurfle header 
and signature and deem it harmless, but an MUA would show the ebay header.

In any event, I think it's reasonable to say that DKIM signers shouldn't 
sign a message with an extra From or Subject header, and verifiers 
shouldn't say the signature on such a message is good, even if it 
validates technically.  I dug through my message archives last week, and I 
don't think I've ever seen a legit message with that flaw, so it's hard to 
think of a reason to cut such messages any slack.

Regards,
John Levine, johnl at iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly