ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Pete's review of 4871bis

2011-06-29 12:34:28
-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org 
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Charles 
Lindsey
Sent: Wednesday, June 29, 2011 9:20 AM
To: DKIM
Subject: Re: [ietf-dkim] Pete's review of 4871bis

I agree that 8.14 is poorly written (and it was even worse a while back).
However, there most certainly IS an attack here, which is NOT the same as
the related attack discussed in 8.15, and cannot be prevented by putting
extra entries in the 'h=' tag. Unfortunately, many WG members have failed
to understand the difference between the two.

That's a mischaracterization of the objection.  "h=from:from:..." was not meant 
to address the attack about which you are complaining.

In my opinion, there needs to be some REQUIRED action in the verifier which
will result in a PERMFAIL, and which would then catch all attacks of this
nature. But the WG consensus has been against this.

This was discussed ad nauseam.  The consensus reached was that DKIM is the 
wrong place to enforce compliance of RFC5322.  Rather, we stipulate that we 
expect those modules to do their jobs properly.

Nobody has said either of the two variants of this attack are not valid 
concerns.  The dispute is about what module in the handling of a message is 
responsible for detecting and dealing with it.

Since the problem exists even with a message that is not DKIM-signed, I still 
fail to understand how this is specifically a DKIM problem.

-MSK

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html