On Wed, 20 Apr 2011 23:15:52 +0100, Barry Leiba
<barryleiba(_at_)computer(_dot_)org>
wrote:
Yes indeed. We discussed lots of wording for all of this, and the one
that
has got into the document is about the worst.
Your objection is noted.
Note that I have escalated this to as Issue. DKIM is broken if we do not
get this right.
This is reopening a closed discussion, and the chair considers that
inappropriate and unwarranted at this stage. It has been decided. I
appreciate that you disagree with the decision, and that will be noted
in the PROTO writeup when I do it.
There may be a rough consensus for the present text, but my understanding
of the IETF procedures is that "rough consensus" is always trumped by Hard
Technical Facts.
And I ASSERT that the following is a Hard Technical Fact:
Where a Vewrifier is minimally compliant with the present draft,
in particular if it omits any test for repeated headers (there is
no REQUIREMENT for such a test), then a phisher can easily devise
a message which, in the majority of current MUAs, will be displayed
as "From: service(_at_)paypal(_dot_)co(_dot_)uk" and which will pass
through that
verifier unscathed. This is true whether or not paypal.co.uk has
declared a Discardable ADSP policy and that Verifier implements ADSP.
I have described this attack several time on this List, and yet it still
works. Hence the present draft can only be described as unfit-for-purpose.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html