Im starting to think a 3rd party signature only signing domain with an I only
sign mailing lists flag being set may be useful.
thanks,
Bill
-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org on behalf of Douglas Otis
Sent: Wed 8/16/2006 6:07 PM
To: Jim Fenton
Cc: IETF-DKIM
Subject: Re: [ietf-dkim] SSP Responsibility Delegation - Security Concerns
On Aug 16, 2006, at 2:01 PM, Jim Fenton wrote:
Now suppose that isp.net also hosts some mailing lists. An
attacker spoofs a message from user(_at_)author(_dot_)com to some mailing
list
which will accept a message from that address. The mailing-list re-
signs its messages by applying a signature from isp.net. The
verifier will look at this signature and incorrectly conclude that
it's a first-party signature, while in fact it's a third-party
signature on behalf of the list.
There are many cases where a bad actor could spoof an
user(_at_)author(_dot_)com
address sent from isp.net. When isp.net does not use account
specific authentication, or ensure that email-addresses are permitted
only after a verification of the account being able to receive at
that email-address, then these would be other cases where a problem
could exist.
Here is where an organization like DAC could play an important role
by certifying which DKIM domains are taking the needed steps to
protect the From email-address. Issues related to things like
mailing list could be resolved by signing these messages using a
different designated domain. This would keep the isp.net domain from
being contaminated by these other uses. Of course a mailing list
could also be placed within a different subdomain. In this case, the
designated domain should not be listed with a wildcard entry to
prevent subdomains from being included as being a designated domain.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html