On Fri, 25 Jan 2008 22:14:19 -0000, John Levine <johnl(_at_)iecc(_dot_)com>
wrote:
Frank, you're (inadvertently?) bringing up exactly the kind of
corner cases that I was trying to raise so that SSP implementations
have the same behavior in their presence. It may be that all we
practically need to do is refer to 2822 and say that if the From:
field is missing, or if the header field body is missing, or if
the domain part of the address spec is missing or not a datom(??),
then the algorithm terminates and returns, oh say, "malformed" or
something like that.
Well, gee. What if there are two From: lines? Three From: lines? A
From: line with two addresses but no Sender:? A From: line with two
addresses, one of which has no @ sign? A From: line with a couple of
embedded carriage returns? The number of ways one can construct a
string of bytes that is not a 2822 message is limitless, and it's hard
to see any beneft in trying to enumerate them. If it's not a 2822
message, SSP doesn't apply.
I think all you need, as Frank has pointed out, is a security
consideration to the effect that
"Verifiers should be aware that Bad Guys may attempt to subvert the
intentions of SSP by submitting messages that are non-compliant with RFC
2822 (for example by using empty From headers, mutiple From headers, Etc
{i.e. list a few examples, but not too may }).
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html