ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Re: is this a problem or not?

2005-10-28 18:57:23

On Oct 28, 2005, at 5:11 PM, Frank Ellermann wrote:

Stephen Farrell wrote:

1. Alice works for Alice-Corp who publish a policy to the effect
   that they and only they sign all their outbound mail.
2. Alice posts a message to Foo-list which signs the message
   itself and drops Alice's signature.
3. Bob receives the message from the Foo-list, signed by the list.
4. Bob looks up Alice-Corp's ssp assertion and considers the
   message as having a bad signature.
5. In order to allieviate this problem Alice-Corp are forced
   to weaken their policy to allow 3rd party signatures to be
   accepted by Bob.

If the above is possible, how should/can it be avoided?


Never ever sign anything that is already signed.  Or at the
very minimum don't "drop" signatures.

It's the point of DKIM to find some "accountable" party as
near to the sender/originator/author (pick what you like)
as possible.  Therefore step 2 in your scenario is strange.

Removing or over-writing signatures (as reviewed in the multiple signature section of my threat review) would ensure the list does not expose other domains to replay abuse. A good thing. I even took this further and suggested all Administrative Units may wish to over- write verified signatures and replace these signatures with a signature that by convention is never accepted outside the Administrative Unit. If the subject lines and message content were intentionally changed, and the list-server wished to permit a name basis for accepting messages, then signing all outbound messages would be a solution. Ensuring the initial signature no longer verifies could be considered a good practice. This would therefore handle all messages that have been submitted and also establish a channel where replays would not be a concern.

Why does the list do this, because it manipulated Alice's
mail ?  Then Bob's result in step 4 is correct, this mail
was "forged" (= the "list" might be some attacker, social
engineering abusing Alice's address).

If the list-server has a good reputation, why does the reputation of every subscriber to this list need to be questioned? Why can't the list be held accountable for their messages?

If Alice and Bob insist on using a list that manipulates
mail they have to white list it.  Or find a new list admin
with some clue to stop this abuse.

What abuse?  Why is white-listing needed?


Step 4 means "DKIM working as designed", it's a feature
and no bug.

Break everything is a feature? Limit email-addresses to a single provider is a feature?

-Doug


_______________________________________________
ietf-dkim mailing list
http://dkim.org