----- Original Message -----
From: "Wietse Venema" <wietse(_at_)porcupine(_dot_)org>
In both (1) and (2) an assessment can be made on the basis of the
the signing-domain. If I get mail with a signature from some no-name
signing domain, then the author-domain (rfc822.from) is mostly
irrelevant. And if I actually do have reasons to trust the
signing-domain, then the author-domain is mostly relevant in case
(1), and mostly irrelevant in case (2).
With all due respect, I'm speaking on the merits of the message, not the
person, this is nonsense.
Lets pick just one most highly probable exploitation:
What happens when 3rd party "Bad Guy" signs a DKIM-BASE valid message and
broadcast a million messages a million SMTP receivers with a 2822.From:
wietse(_at_)porcupine(_dot_)org?
Using your signer-domain policy lookup, it will pass the test.
If you lookup the policy for porcupine.org, you are protected and a million
verifiers and their target users will not have to suffer the consequences.
Another highly probably abuse:
What happens when domain innocent.com who does not sign mail, and a 3rd
party "Bad Act" randomly selects innocent.com and signs mail, then broadcast
to a million receivers?
Using your signer-domain lookup, it pass the test and there is instant harm
done to innocent.com and the million receivers and users.
And so on.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html