Doug,
Douglas Otis wrote:
On Apr 4, 2006, at 8:44 AM, Dave Crocker wrote:
Douglas Otis wrote:
Sorry, I still don't understand what the purpose or impact of this
attack is. Can you explain?
An attack may be enabled by replaying a message compromised due to a
weak hash, key, or canonicalization algorithm.
You didn't answer his question (or, by derivation, mine.)
DKIM can establish a trust relationship between the signing-domain and
the recipient. Being able to exploit that trust relationship can be
used to both defraud the recipient, and damage the trust that might have
been established by the signing-domain. If there is an exploit that
becomes a problem, both parties should be able to quickly upgrade and
find protection.
The message may have been a message a financial institution asking to
check the account and offering a helpful login link. The recipient
might trust this link when lead to understand this domain signs their
messages and that their MDA/MUA places non-compliant messages into their
spam folder.
Nor can I see what this has to do with removing one of a bunch of
signatures.
Maybe we should move on and you can raise the replay issue again
later (I bet you will, eh:-)
S.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html