On Oct 28, 2005, at 5:11 PM, Frank Ellermann wrote:
Stephen Farrell wrote:
1. Alice works for Alice-Corp who publish a policy to the effect
that they and only they sign all their outbound mail.
2. Alice posts a message to Foo-list which signs the message
itself and drops Alice's signature.
3. Bob receives the message from the Foo-list, signed by the list.
4. Bob looks up Alice-Corp's ssp assertion and considers the
message as having a bad signature.
5. In order to allieviate this problem Alice-Corp are forced
to weaken their policy to allow 3rd party signatures to be
accepted by Bob.
If the above is possible, how should/can it be avoided?
Never ever sign anything that is already signed. Or at the
very minimum don't "drop" signatures.
It's the point of DKIM to find some "accountable" party as
near to the sender/originator/author (pick what you like)
as possible. Therefore step 2 in your scenario is strange.
Removing or over-writing signatures (as reviewed in the multiple
signature section of my threat review) would ensure the list does not
expose other domains to replay abuse. A good thing. I even took
this further and suggested all Administrative Units may wish to over-
write verified signatures and replace these signatures with a
signature that by convention is never accepted outside the
Administrative Unit. If the subject lines and message content were
intentionally changed, and the list-server wished to permit a name
basis for accepting messages, then signing all outbound messages
would be a solution. Ensuring the initial signature no longer
verifies could be considered a good practice. This would therefore
handle all messages that have been submitted and also establish a
channel where replays would not be a concern.
Why does the list do this, because it manipulated Alice's
mail ? Then Bob's result in step 4 is correct, this mail
was "forged" (= the "list" might be some attacker, social
engineering abusing Alice's address).
If the list-server has a good reputation, why does the reputation of
every subscriber to this list need to be questioned? Why can't the
list be held accountable for their messages?
If Alice and Bob insist on using a list that manipulates
mail they have to white list it. Or find a new list admin
with some clue to stop this abuse.
What abuse? Why is white-listing needed?
Step 4 means "DKIM working as designed", it's a feature
and no bug.
Break everything is a feature? Limit email-addresses to a single
provider is a feature?
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org