[ietf-dkim] Final update to 4871bis for working group review
barryleiba at computer.org
Thu Jul 7 07:28:09 PDT 2011
> The signer most certainly CAN attack, but what he is attacking is not
> DKIM; rather it is the recipient, or Ebay, or lenient MTAs. DKIM is, in
> fact, his weapon of attack.
Right, but the point is that, with DKIM (as Murray says, this attack
can be mounted with or without), the signing domain is relying on its
own reputation, not that of the "fake" From. That mitigates things in
1. There's really no difference between using "d=badguy.com" to sign
"From: x at badguy.com" and then adding "From: x at ebay.com" later, and
using "d=badguy.com" to sign "From: x at ebay.com" in the first place.
No advice in this regard addresses the second case anyway.
2. Signers that do this will quickly get bad reputations, and will
never have had strongly good ones in the first place. It's never
eBay's reputation that's relevant here anyway.
Given all that, having us describe the problem is sufficient, and
that's exactly what the WG consensus has us do.
Barry, as participant
More information about the ietf-dkim