On 10/19/10 5:08 PM, Murray S. Kucherawy wrote:
Since the issue is an attempt to fool users, those seem to me to be in the
same family as the other thing we're talking about. And none of them have
anything at all to do with DKIM.
Disagree.
It is TRUST being established by DKIM that is being exploited! Messages
lacking authenticated assertions regarding its origination is normally
not trusted to any extent. As such, multiple From header fields
primarily concerns only DKIM as TRUST exploits. Normal leniency
provided for RFC5322 non-conformance demonstrates there is normally
little TRUST to be exploited, and thus without DKIM there is little
concern.
It is when a person sees a DKIM based lock-icon on their message, for
example, is when recipients might be placed at risk by undetected
inclusion of multiple From header fields. That oversight in DKIM's
validation process MUST be corrected to ensure DKIM's integrity. DKIM
is a security related protocol offering much more than just an
authenticated message tag. DKIM also binds this domain with the From
header field. Therefore, unlike normal email, Trust in the DKIM domain
is extended to include the From header field.
Are you suggesting DKIM should not check for the presence of this
multiple From header field exploit and indicate this with a PERMFAIL
result? Do you really think that some other component of email should
be checking for RFC5322 compliance?
You and Dave seem determined at making this some other processes
concern. Which email process should be expected to alert recipients?
What other protocols needs to be updated?
SMTP? IMAP? POP3? SIEVE? DKIM is truly the only logical process where
this check /MUST/ be made.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html