On Apr 4, 2006, at 8:44 AM, Dave Crocker wrote:
Douglas Otis wrote:
Sorry, I still don't understand what the purpose or impact of
this attack is. Can you explain?
An attack may be enabled by replaying a message compromised due to
a weak hash, key, or canonicalization algorithm.
You didn't answer his question (or, by derivation, mine.)
DKIM can establish a trust relationship between the signing-domain
and the recipient. Being able to exploit that trust relationship can
be used to both defraud the recipient, and damage the trust that
might have been established by the signing-domain. If there is an
exploit that becomes a problem, both parties should be able to
quickly upgrade and find protection.
The message may have been a message a financial institution asking to
check the account and offering a helpful login link. The recipient
might trust this link when lead to understand this domain signs their
messages and that their MDA/MUA places non-compliant messages into
their spam folder.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html