On October 19, 2005 at 14:18, Michael Thomas wrote:
As I have argued before, allowing 3rd-party signatures open you up
to general spoofing by malicious domains (as DKIM SSP is currently
defined).
There's a difference between allowing their existence and relying on them
in the same fashion as a first party signature. I think DKIM ought to do the
former.
Not sure I understand your statement.
A long time back I provided an example how a malicious domain can
create a message with a valid DKIM signature with the message appearing
to be "from" someone else. Some follow-up discussion included potential
fixes to SSP to address the problem.
If this hole is not fixed (and probably as a general concern),
there is a reliance of how DKIM validation results are provided to
the end recipient, and if such results are adequately visable to the
end recipient, in order to avoid DKIM becoming a spoofing enabler.
--ewh
_______________________________________________
ietf-dkim mailing list
http://dkim.org