[ietf-dkim] Doublefrom language should be in ADSP, not core
Murray S. Kucherawy
msk at cloudmark.com
Sun Jul 10 19:48:43 PDT 2011
> -----Original Message-----
> From: ietf-dkim-bounces at mipassoc.org [mailto:ietf-dkim-bounces at mipassoc.org] On Behalf Of Michael Deutschmann
> Sent: Sunday, July 10, 2011 12:53 AM
> To: DKIM List
> Subject: Re: [ietf-dkim] Doublefrom language should be in ADSP, not core
> The attack only matters if the user believes that forgery is impossible
> because his ISP and the putative sender both "deploy ADSP" -- and thus the
> fact that the message made it to his mailbox means it has to be validly
> signed. (Of course, such users are suckers for messages from
I think the attack only matters if the MUA believes that the only thing ever present in the inbox is a validly-formed message, *and* the presence of a DKIM signature (regardless of signing domain) means the message is somehow more valid than one without.
> Otherwise, "Obama" messages with an alternate From: (which the forger
> hopes the MUA will ignore) and signature for that second From:, are no
> more convincing than plain old forgeries with a single From: and no
> signature at all.
> In fact, they can be less effective, since:
> 1. At any step on the way, the message may be rejected as a protocol
Right, or have the extra From: arbitrarily removed.
> 2. The MUA might display to the user, the From: instance that was
> intended by the forger for the validator's eyes only.
> 3. The lazy validator might act on the From: instance that was intended
> by the forger for the MUA to display.
> Failures (from the forger's perspective) 1 and 2 produce a result less
> convincing than a simple unsigned forgery. Failure 3 produces a result
> no more convincing than the simple unsigned forgery.
More information about the ietf-dkim