ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] draft-ietf-dkim-mailinglists-02 review

2010-09-13 06:40:07
On Fri, 10 Sep 2010 23:37:46 +0100, Steve Atkins 
<steve(_at_)wordtothewise(_dot_)com>  
wrote:

On Sep 10, 2010, at 2:31 PM, Scott Kitterman wrote:
.....  If this negative event can be avoided by the simple mechanism of
using a mailing list specific "Message" From, then that is a benefit.

Rather than go into the general reasons why I think this is not
something that ADSP users really want, I'll give a concrete
example.

What ADSP users want is irrelevant. This is about what MLMs want (which is  
most likely to ensure that submitted messages reach the whole of their  
list without problems).

Lets say this mailing list rewrites the From: address in some
reasonably mechanical manner, and the From: field of
this message were rewritten as (making up syntax on
the fly)...

From: steve%blighty(_dot_)com%ietf-dkim(_at_)mipassoc(_dot_)org

... such that recipients (or their MUAs) know that this mail
was sent by steve(_at_)blighty(_dot_)com via a mailing list at
dkim.org.

There's nothing to stop me from sending mail
From: billing%paypal(_dot_)com%ietf-dkim(_at_)mipassoc(_dot_)org, as
the mailing list isn't using ADSP.

Clearly, mailing lists that do things to the From: SHOULD (even MUST)  
sign, and any RFC documenting my proposal would include that.

But yes, you could currently send a message to this list From: that  
address, but that has nothing to do with whether my suggestion is adopted  
or not. I suspect you would soon find yourself blacklisted by the MLM.

... And there's certainly
nothing to prevent me from sending mail from
billing%paypal(_dot_)com%ietf-dkim(_at_)blighty(_dot_)com that has
a valid first-person signature.

Indeed, but that is, and has always been, possible, irrespective of  
whether my suggestion is adopted. Phishers have been obfuscating their  
From: headers in such ways since forever.

That means that, as far as the end user is concerned,
I can send them email that is "from" billing(_at_)paypal(_dot_)com,
even though paypal.com is using ADSP to ask receivers
to discard mail that claims to be from paypal.com but
is not validly signed by paypal.com.

Given the whole point of ADSP is "Discard if you're not
sure", I don't think that's what an ADSP using domain
would want.

Sure they would, but DKIM as specified does not provide that feature  
except when everything after the '@' is exact.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>