ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Fwd: Re: New Issue: protecting a domain name vs.protecting a domain tree

2008-04-11 10:02:42
from [MH Michael Hammer (5304)] [Permanent Link] 



-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org [mailto:ietf-dkim-
bounces(_at_)mipassoc(_dot_)org] On Behalf Of Charles Lindsey
Sent: Friday, April 11, 2008 12:10 PM
To: DKIM
Subject: [ietf-dkim] Fwd: Re: New Issue: protecting a domain name
vs.protecting a domain tree

On Wed, 09 Apr 2008 19:27:27 +0100, Dave Crocker <dhc(_at_)dcrocker(_dot_)net>

wrote:



Eric Allman wrote:

Dave, I'm not understanding how the algorithm can work if you omit

step

2 from section 4.2.2.



The attack that you describe requires using some name other than the

one

that is
listed.  The single, specific name that is listed is, indeed,
"protected".


Sure, if a phisher includes
      From: info(_at_)ebay(_dot_)com
then SSP/DKIM will catch him.

If the phisher includes
     From: info(_at_)ezbay(_dot_)com
then we know that SSP/DKIM cannot catch him, and there is not much we

can

do about that other than to advise phishees to read From headers

_very_

carefully.

But if the phsher includes
      From: info(_at_)mailout(_dot_)ebay(_dot_)com
where the domain mailout.ebay.com does not exist, then it needs to be
caught somehow, since the phishee will look at it _very_ carefully and
will find it perfectly reasonable (as indeed it is).

So if we cannot arrange that mailout.ebay.com is not caught by some
sub-domain mechanism within SSP, then we at leaast need to say,

perhaps

non-normatively:

"Although it is impossible to obtain an SSP record for a non-existant
sub-domain of a protected domain, verifiers might well choose to to
reject/discard/whatever messages with non-existent domains in From

headers

as a matter of policy quite separate from their policies arising from
SSP/DKIM."





This is one of the reasons that I raised the question of whether it is
possible to find the "base" domain (not TLD) that the organization
controls. If this is possible then we may have the ability for ADSP to
assert that all sub-domains in a tree only send mail that is DKIM
signed. If this is not possible to do then I don't know that
non-existent sub-domains can be protected by DKIM/ADSP.

Mike

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ietf-dkim] Fwd: Re: New Issue: protecting a domain name vs. protecting a domain tree, Charles Lindsey
Next by Date:  Re: [ietf-dkim] Fwd: Re: New Issue: protecting a domain name vs.protecting a domain tree, John Levine
Previous by Thread:  [ietf-dkim] Fwd: Re: New Issue: protecting a domain name vs. protecting a domain tree, Charles Lindsey
Next by Thread:  Re: [ietf-dkim] Fwd: Re: New Issue: protecting a domain name vs.protecting a domain tree, John Levine
Indexes:  [Date] [Thread] [Top] [All Lists]