ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Necessary Verifier Actions to mitigate exploitation of trust established through DKIM signatures.

2010-11-05 13:48:57
from [Douglas Otis] [Permanent Link] 
Append to Section 6 Verifier Actions:

It is not reasonable to assume a message is in compliance with RFC5322.  
To mitigate trivial exploitation of trust established by DKIM 
signatures, messages having multiple header fields for "orig-date", 
"from", "sender", "reply-to", "to", "cc", "message-id", "in-reply-to", 
"references", or "subject" MUST always return PERMFAIL for any DKIM 
signature associated with the message.  When there are multiple 
singleton header fields, a field selected for display or sorting is 
therefore undefined.  Likely top-down selections by consumers of DKIM 
status where the signature verification selects bottom-up leaves 
singleton headers highly prone to trivial exploitation.

-Doug
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Proposal for new text about multiple header issues (why multiple h= singleton listing is an ineffective hack, why RFC 5322 compliance is a fuzzy term, and what about malformed MIME structures?), Hector Santos
Next by Date:  [ietf-dkim] FW: New Version Notification for draft-ietf-dkim-implementation-report-04, Murray S. Kucherawy
Previous by Thread:  Re: [ietf-dkim] Proposal for new text about multiple header issues (why multiple h= singleton listing is an ineffective hack, why RFC 5322 compliance is a fuzzy term, and what about malformed MIME structures?), Hector Santos
Next by Thread:  Re: [ietf-dkim] Necessary Verifier Actions to mitigate exploitation of trust established through DKIM signatures., Charles Lindsey
Indexes:  [Date] [Thread] [Top] [All Lists]