Re: The cost of choices

ietf-mailsig

Re: The cost of choices

2005-07-29 14:35:03


On July 29, 2005 at 13:45, Michael Thomas wrote:

I'm not seeing how this prevents a malicious domain from spoofing
the OP identity if the OP has third-party signatures enabled?
If you can provide a more detailed example, I would appreciate it.


Note that this mainly a question of what the receiver does once it's 
validated
a signature (eg, the RSA check succeeds). At that point, the receiver 
can try
to see if the signature binds to an outside address -- like say the From 
address.


The problem is that DKIM does not define any robust binding capabilities
of the signer.  Since the i= tag does not have to equal From, how
does the verifier know exactly what the signature is bound to?

--ewh

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: DKIM KEY SSP Override Option [was Re: The cost of choices], (continued) Re: DKIM KEY SSP Override Option [was Re: The cost of choices], Jim Fenton Re: DKIM KEY SSP Override Option [was Re: The cost of choices], Jim Fenton Re: The cost of choices, Earl Hood Re: The cost of choices, Arvel Hathcock Re: The cost of choices, Earl Hood Re: The cost of choices, Arvel Hathcock Re: The cost of choices, Jim Fenton Re: The cost of choices, Earl Hood Re: The cost of choices, Earl Hood Re: The cost of choices, Michael Thomas Re: The cost of choices, Earl Hood <= Re: The cost of choices, Michael Thomas Re: The cost of choices, Earl Hood Re: The cost of choices, Michael Thomas Re: The cost of choices, Dave Crocker Re: The cost of choices, Earl Hood RE: The cost of choices, Dave Crocker RE: The cost of choices, James Scott

Previous by Date:	Re: revised Proposed Charter, Douglas Otis
Next by Date:	Re: SSP - 3rd party Signers - Definition/Usage, Hector Santos
Previous by Thread:	Re: The cost of choices, Michael Thomas
Next by Thread:	Re: The cost of choices, Michael Thomas
Indexes:	[Date] [Thread] [Top] [All Lists]