Wietse Venema:
Hector Santos:
A bad actor can register look-alike domains and added their own DKIM
signature sent through any number of providers. Designation does not
make this problem worse. With the entire email-address being
internationalized, a problem of visual recognition must be handled
through other strategies.
What Frank is saying is the ISP.COM has all power to control this and
protect his users from direct DKIM phish attacks in a very elegant and
graceful manner using SSP.
Example:
Apologies. Let me phrase this better.
None of these loopholes would exist if signatures could vouch only
for rfc822.from domains that match the signature's d= domain (*).
Third party signatures are part of the problem. Making them "work
right" requires additional complexity. Complexity leads to error,
vulnerability and exploitation.
Wietse
(*) This is possible even when the signer is in a different domain.
All they need is the private key that matches the public key
in the d= DNS record. That record can, but does not have to,
be CNAME delegated to the signer's DNS.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html