On 10/25/10 2:12 PM, Steve Atkins wrote:
On Oct 25, 2010, at 1:58 PM, Murray S. Kucherawy wrote:
Isn't the more interesting attack a signature from some throwaway domain
that covered a matching From: but also contained a From: indicating some
high-value phish target?
Not really, no. Signing the From: field means nothing other than that it is
the same as when it was sent.
I can sign mail with d=blighty.com and "From: doolally(_at_)ebay(_dot_)com"
without needing to play any games with multiple headers
The only interesting attack in this entire situation is the ability to take a
message signed by a high-reputation domain, so that it'll get delivered to
the inbox, and to replace the Subject: (and possibly From:) with your own
payload.
Disagree. It could be signed by a large domain that is unlikely
blocked, where the high value domain can then be spoofed because of a
poorly defined DKIM verification process, regardless where the DKIM
verification process happens to be located.
It's also not specific to MUAs. Filtering agents can be similarly
duped.
They can, yes, though I'm not sure that's needed to explain why this
may be a bad thing to allow.
Focusing on the MUA case might inadvertently suggest to implementers of
other components that this is not a concern for them.
True. Though it really shouldn't be a significant concern for them, as
filtering agents that are DKIM aware (should anyone create such a thing) and
have a valid DKIM identity will likely use that in preference to, say, the
From: field. And if the filtering agent is not DKIM aware, it's not an issue.
DKIM verification is still DKIM verification regardless where this
process is located. Stop hand waving. This process MUST be correctly
defined to protect the consumers of these results.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html