Re: [ietf-dkim] Re: dkim service and mail lists

Earl Hood wrote:

As I have argued before, allowing 3rd-party signatures open you up
to general spoofing by malicious domains (as DKIM SSP is currently
defined).


There's a difference between allowing their existence and relying on them
in the same fashion as a first party signature. I think DKIM ought to do the
former.

5) When user has no 3rd-party signatures allowed in policy record andrecipient see that such email is different length (i.e. it came through3rd party), I would argue that recipient can then reject such emails(that is what policy says after all!) but optionally it can also stilldecide to cut email to exactly what it originally was and let it through.
The only way to have the length specifier not be a security
vulnerability is to require all verifiers to strip all content that
exceeds the length.

Which is to say that today (eg, pre-DKIM), any inbound MTA ought tostrip all content.

Correct?

      Mike
_______________________________________________
ietf-dkim mailing list
http://dkim.org

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:

Re: [ietf-dkim] over-the-wire (in)compatibility between pre-IETF DKIMand (eventual) IETF DKIM, Earl Hood

Next by Date:

Re: [ietf-dkim] Re: dkim service and mail lists, william(at)elan.net

Previous by Thread:

[ietf-dkim] Re: dkim service and mail lists, Earl Hood

Next by Thread:

Re: [ietf-dkim] Re: dkim service and mail lists, william(at)elan.net

Indexes:

[Date] [Thread] [Top] [All Lists]