ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] draft-ietf-dkim-rfc4871bis-07 // Attacks Involving Additional Header Fields

2011-04-25 23:32:04


On 4/25/2011 9:18 PM, Murray S. Kucherawy wrote:
Double listing in the "h=" tag can not fully mitigate risks related to
appended header fields when messages are signed by a different domain than
the domain found in the appended From header field.

DKIM doesn't create any binding between the RFC5322.From domain and the "d="
value as you're doing.  What you're talking about here falls into the realm
of ADSP or other policy-like assertions, not DKIM itself which is the topic
of this draft.


Perhaps I am wrong, but I believe that this point has been made and re-made
enough times to warrant not making it again.

If someone participating in this working group continues to make that error,
they are unlikely to change.  And the mailing list archive has more than enough 
evidence of clarifying this point; more is not needed.

d/

-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html