Earl Hood wrote:
On July 29, 2005 at 14:58, Michael Thomas wrote:
subdomainof ($test, $domain) {
if ($test is improper subdomain of $domain)
return TRUE;
else
return FALSE;
}
Shouldn't subdomainof return TRUE if $test is a proper subdomain
of $domain?
I believe that I'm using my set nomenclature correctly.
That is, $test=example.com $domain=example.com returns
TRUE. That's not a proper subdomain.
General comment: It may be useful to have different indicators
specify why the signature did not verify. Make failure report
analysis much easier.
Yes, but the most productive thing, IMO, is to think of
this in terms of the Auth-res draft. I continue think
that it needs some tweaking to capture some of these
kinds of subtlties too.
To clarify, the SSP is only checked if i= does not match From?
Even if the signature RSA validates.
Yes. As currently defined, SSP is a From-based attribute.
I still think it is possible to do "partial" spoofing. For example,
a malicious domain can bind to the rfc2822.Sender address, and if the
rfc2822.From SSP allows 3rd-party signing, malicious domain can
send out messages with whatever rfc2822.From as long as they use
a rfc2822.Sender in their domain. Due to this, no one should
ever enable 3rd-party signing.
That's true. For a very long time, it's been my opinion
that i=From: is really the gold standard. I believe that
Sender signing may be useful, but probably only in a
more restrictive and/or less algorithmic manner. For
example, Sender signing in conjunction with white lists
may well provide adequate protection. I do believe that
this deserves a good discussion in the draft though.
MUAs tend to highlight only the rfc2822.From and not the
rfc2822.Sender. It seems to me that if DKIM is going to be accepted by
the end-user community, MUAs will need to become DKIM-aware so proper
verification indications can be displayed to message receipients.
Note that it's not particularly difficult to change the rendering
on most modern MUA's today to take advantage of DKIM. Searching
Auth-Res for header.From and dkim=pass and then coloring the
headers, oh say, green isn't rocket science.
Mike