ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Proposal for new text about multiple header issues

2010-10-25 19:51:08
Isn't the more interesting attack a signature from some throwaway domain 
that covered a matching From: but also contained a From: indicating some 
high-value phish target?

Not really, no. Signing the From: field means nothing other than that it is 
the same as when it was sent.

I can sign mail with d=blighty.com and "From: doolally(_at_)ebay(_dot_)com" 
without needing to play any games with multiple headers

Let's say your message has two From lines, one from bob(_at_)blurfle(_dot_)net, 
one 
from security(_at_)ebay(_dot_)com, and you sign the first with d=blurfle.net. 
Perhaps blurfle.net even publishes discardable ADSP.

My concern would be that filtering agents might notice the blurfle header 
and signature and deem it harmless, but an MUA would show the ebay header.

In any event, I think it's reasonable to say that DKIM signers shouldn't 
sign a message with an extra From or Subject header, and verifiers 
shouldn't say the signature on such a message is good, even if it 
validates technically.  I dug through my message archives last week, and I 
don't think I've ever seen a legit message with that flaw, so it's hard to 
think of a reason to cut such messages any slack.

Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet 
for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>