On Thu, 14 Oct 2010 19:01:17 +0100, Alessandro Vesely
On 13/Oct/10 20:45, Scott Kitterman wrote:
On Wednesday, October 13, 2010 12:54:23 pm Murray S. Kucherawy wrote:
If we can extract DKIM from the equation entirely and the problem
how is it a DKIM problem?
If the DKIM signature doesn't verify after signed headers have been
then it's not.
Correct. And the way that it fails to verify is h=from:from.
That only works when the signature is created by the Good Guys.
When the Bad Guys create signatures (using a throwaway domain), they will
conveniently "forget" to do h=from:from.
The only way that DKIM can consistently account for this exploit is by
amending section 5.5 "Recommended Signature Content", and spell what
fields MUST/SHOULD be duplicated in the h= tag.
No, the only way is to amend DKIM so that the verifiers MUST/SHOULD take
the right action.
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
NOTE WELL: This list operates according to