On 11/30/10 11:55 AM, Murray S. Kucherawy wrote:
On Tuesday, November 30, 2010 11:11 AM, Douglas Otis wrote:
DKIM should be repaired to ensure deceptive malformed header fields do
not verify as having valid DKIM signatures to prevent the exploits, such
as having multiple singleton header fields invalidate signatures. DKIM
should have included checks necessary to disqualify messages likely
crafted by malefactors. These checks may need to grow over time. The
impact of adding checks to DKIM's verification process will not justify
new mandates for making message repairs or rejections by SMTP or MUAs.
[...]
I think this is completely off-topic for the work being discussed here, Doug.
The discussion has to do with what MTAs, and perhaps MUAs if that's
appropriate, should do with common malformations independent of things like
DKIM.
Murray,
Any deviations from standards normally used by malefactors to deceive
recipients should be rejected! Unfortunately this draft suggests:
1) Ignore
2) Repair
3) Reject
Ignoring and repairing remains problematic. IMHO, repair will never be
required for SMTP or MUA level compliance. Without format compliance
being part of trust related verifications, systems claiming enhanced
levels of trust will not be trustworthy. Since SMTP does not mandate
non-compliance be rejected, the only reasonable strategy is to ensure
mechanisms such as DKIM makes no exploitable assertions when confronting
malformed messages.
I see this draft as a dubious attempt to suggest SMTP or MUAs should be
expected to defend enhanced levels of trust based upon mechanisms such
as DKIM. This is inherently wrong, as this will result in indeterminate
message status and untrustworthy systems.
-Doug