On Feb 14, 2006, at 3:54 PM, Frank Ellermann wrote:
Markley, Mike wrote:
I am not, however, aware of any mechanism for preventing a
malicious TLD operator from publishing a key at _domainkey.<tld>.
This suggests to me that it's quite possible for the operators of
the TLD, whether that's Verisign or some government-controlled
agency, can then send mail with d=tld and i=user(_at_)example(_dot_)tld, and
that such a message's signature would validate.
Hi, that sounds like a general "bug" or "feature" not limited to
TLDs, it would be the same with say ac.uk or navy.mil SLDs, or any
other domain with "independent" (zone cut) subdomains.
This suggests the 'i=' feature is prone as there are no confirming
label requirements similar to that used to define the boundary
between the domain and the selector paths being a "_domainkey"
label. This is especially problematic as the selector may use
multiple labels as well.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://dkim.org/ietf-list-rules.html