On Wed, 11 Jul 2007 00:37:57 +0100, Douglas Otis <dotis(_at_)mail-abuse(_dot_)org>
wrote:
On Jul 10, 2007, at 2:15 PM, Hallam-Baker, Phillip wrote:
I would like to discuss the downgrade attack certainly. We have to
address the attack either by solving it or by explaining it in the
security considerations.
Doug's statement above is not correct though. A recipient ONLY looks at
the policy record if it does not find an acceptable signature record.
That means:
Eh? A recipient can look at a policy record whenever he sees fit to do so,
and for whatever reason.
E) The message has a signature by a Third-Party domain.
And
F) The signer seemed to be unrelated to the From/Sender/Whatever headers;
G) The signature covered an "unusual" selection of headers;
H) There were several signatures, of which some passed and some failed;
I) Umpteen other reasons why it looked suspicious.
A Policy Record might well clear up some (probably not all) of such cases.
Moreover, experience will throw up new scams that the Bad Guys will
invent, and so it may become necessary to add new kinds of information to
Policy records that we have not even thought of yet. So, to that extent,
their notation needs to be extensible.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html