Wietse Venema wrote:
With this signer-side configuration solution, the verifier can
detect attempts to "spoof" any header that was covered by the DKIM
signature (spoof as in "add a forged header, and hope that naive
programs will use the forged header instead of the authentic one").
So the solution is already available in DKIM. We just need to use
the solution, and make it part of routine DKIM tests.
Having the signer put the extra junk in h= should make existing verifiers
do the right thing, although I doubt the bit of verification code that
checks for the non-existence of the N+1st header for N>0 is well tested in
DKIM implementations.
To address this, make this solution part of routine DKIM test suites.
+1, however.....
This is only part of the solution. A temporary one to allow current
operators to cover themselves using their "Required Header"
configuration, if any.
The real solution is to void double 5322.From messages. Either the
DKIM compliant MSA, MDA do it or the "better" DKIM signer/verification
engine does it to cover for legacy MSA, MDA or to make sure customers
using a 3rd party signing engine are sending the proper mail to sign.
Can someone come up with IETF amenable copy text for Dave to add to
4871bis that won't prohibit or slow it down its progress?
IMV, all would be implementers need to read is a basic idea of:
"Make sure there are no two or more 5322.From headers when signing
or verifying. These messages should be voided."
and thats it.
--
HLS
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html