ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] DKIM Threat Assessment v0.02 (very rough draft)

2005-08-09 20:02:44
On August 9, 2005 at 17:11, Michael Thomas wrote:

  "Yahoo! DomainKeys has confirmed that this message was sent by
*verified-domain*."

So your users all understand that "verified-domain" means
that means From: *(_at_)example(_dot_)com instead of  From: 
user(_at_)example(_dot_)com
is what's really believable? Somehow I'm guessing they aren't
going to make that distinction, even if that's technically true.

This is not accurate.  Your text implies rfc2822.From and currently,
DKIM does not verify that, directly.  I.e.  The domain portion
of the rfc2822.From address can be completely different from
the signing domain.

(Note, I'm inclined to agree that end-users may not understand what
is being indicated, and any MUA-based support will need to consider
how verification feedback is displayed very carefully.)

In the example Yahoo message above, "*verified-domain*" may not
match the domain in rfc2822.From.

As DKIM SSP is currently defined, this allows malicious domains
to forge the rfc2822.From and still pass DKIM verification.  This
should be addressed in the next set of drafts, but we'll have to
wait when they come out to know for sure.

(See past threads about spoofing and SSP on
ietf-mailsig.  A search for "spoofing or SSP" at
<http://www.mhonarc.org/archive/html/ietf-mailsig/> will give you
plenty of hits.)

--ewh
_______________________________________________
ietf-dkim mailing list
ietf-dkim(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/ietf-dkim

<Prev in Thread] Current Thread [Next in Thread>