[ietf-dkim] Proposal for new text about multiple header issues
John R. Levine
johnl at iecc.com
Mon Oct 25 17:48:41 PDT 2010
>> Isn't the more interesting attack a signature from some throwaway domain that covered a matching From: but also contained a From: indicating some high-value phish target?
> Not really, no. Signing the From: field means nothing other than that it is the same as when it was sent.
> I can sign mail with d=blighty.com and "From: doolally at ebay.com" without needing to play any games with multiple headers
Let's say your message has two From lines, one from bob at blurfle.net, one
from security at ebay.com, and you sign the first with d=blurfle.net.
Perhaps blurfle.net even publishes discardable ADSP.
My concern would be that filtering agents might notice the blurfle header
and signature and deem it harmless, but an MUA would show the ebay header.
In any event, I think it's reasonable to say that DKIM signers shouldn't
sign a message with an extra From or Subject header, and verifiers
shouldn't say the signature on such a message is good, even if it
validates technically. I dug through my message archives last week, and I
don't think I've ever seen a legit message with that flaw, so it's hard to
think of a reason to cut such messages any slack.
John Levine, johnl at iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
More information about the ietf-dkim