ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [ietf-dkim] SSP Responsibility Delegation - Security Concerns

2006-08-16 15:28:58
from [Bill.Oxley] [Permanent Link] 
Im starting to think a 3rd party signature only signing domain with an I only 
sign mailing lists flag being set may be useful.
thanks,
Bill


-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org on behalf of Douglas Otis
Sent: Wed 8/16/2006 6:07 PM
To: Jim Fenton
Cc: IETF-DKIM
Subject: Re: [ietf-dkim] SSP Responsibility Delegation - Security Concerns
 

On Aug 16, 2006, at 2:01 PM, Jim Fenton wrote:


Now suppose that isp.net also hosts some mailing lists.  An  
attacker spoofs a message from user(_at_)author(_dot_)com to some mailing 
list  
which will accept a message from that address.  The mailing-list re- 
signs its messages by applying a signature from isp.net.  The  
verifier will look at this signature and incorrectly conclude that  
it's a first-party signature, while in fact it's a third-party  
signature on behalf of the list.


There are many cases where a bad actor could spoof an 
user(_at_)author(_dot_)com  
address sent from isp.net.  When isp.net does not use account  
specific authentication, or ensure that email-addresses are permitted  
only after a verification of the account being able to receive at  
that email-address, then these would be other cases where a problem  
could exist.

Here is where an organization like DAC could play an important role  
by certifying which DKIM domains are taking the needed steps to  
protect the From email-address.  Issues related to things like  
mailing list could be resolved by signing these messages using a  
different designated domain.  This would keep the isp.net domain from  
being contaminated by these other uses.  Of course a mailing list  
could also be placed within a different subdomain.  In this case, the  
designated domain should not be listed with a wildcard entry to  
prevent subdomains from being included as being a designated domain.

-Doug
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [ietf-dkim] SSP Responsibility Delegation - Security Concerns, Bill.Oxley
Next by Date:  Re: [ietf-dkim] SSP Responsibility Delegation - Security Concerns, Jim Fenton
Previous by Thread:  RE: [ietf-dkim] SSP Responsibility Delegation - Security Concerns, Bill.Oxley
Next by Thread:  Re: [ietf-dkim] SSP Responsibility Delegation - Security Concerns, Jim Fenton
Indexes:  [Date] [Thread] [Top] [All Lists]