On Thu, 14 Oct 2010 19:01:17 +0100, Alessandro Vesely
<vesely(_at_)tana(_dot_)it>
wrote:
On 13/Oct/10 20:45, Scott Kitterman wrote:
On Wednesday, October 13, 2010 12:54:23 pm Murray S. Kucherawy wrote:
If we can extract DKIM from the equation entirely and the problem
remains,
how is it a DKIM problem?
If the DKIM signature doesn't verify after signed headers have been
altered,
then it's not.
Correct. And the way that it fails to verify is h=from:from.
That only works when the signature is created by the Good Guys.
When the Bad Guys create signatures (using a throwaway domain), they will
conveniently "forget" to do h=from:from.
The only way that DKIM can consistently account for this exploit is by
amending section 5.5 "Recommended Signature Content", and spell what
fields MUST/SHOULD be duplicated in the h= tag.
No, the only way is to amend DKIM so that the verifiers MUST/SHOULD take
the right action.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html