ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Final update to 4871bis for working group review

2011-07-08 06:02:37
On Thu, 07 Jul 2011 22:06:29 +0100, Murray S. Kucherawy  
<msk(_at_)cloudmark(_dot_)com> wrote:


My favourite counterexample, which I've used many times already, is  
Mailman.  It doesn't even check DKIM signatures, but you can still fake  
your way through its authorization process such that a different From:  
is shown to the user for some MUAs.

Can you please give me a pointer to that?

This still supports the notion that we fear people will misapply DKIM  
results as the basis for the attack.  Your proposed changes here won't  
remedy that.

Oh yes there is! Because identity assessors will undoubtedly give more
credence to messages where the signature domain is the same as the  
author
(i.e.From:) domain, even if they do not go to the extent of doing full
ADSP, and that is just what the BadGuy hopes will happen.

Whose?  Mine don't, and the text doesn't support that notion either.

If DKIM is not intended to give added credance to messages, then what on  
earth is its purpose at all. Yes, it needs to be interpreted with care and  
understanding, and our Security Considerations are the vehicle for  
improving that understanding.

I suspect may assessors will use a scoring system (like Spamassassin),  
where a signed message, even from a totally unknown domain, will add some  
positive contribution.

Signers who are BadGuys don't give a damn about the reputation of their
domains. Having displatched a million or so phishes with "d=badguy.com",
they will abandon that domain and use "d=son-of-badguy.com" for the next
batch. All that can be said of the reputation of badguy.com is that it  
is
a new domain, never seen before (but new domains are appearing all the
time, and must be assumed more-or-less innocent until proven
otherwise).

Certainly true, and certainly fodder for a BCP for using DKIM or even  
reputation, but not for the DKIM protocol specification (especially  
since we declared reputation out-of-scope ages ago).

Yes, it is out of scope to suggest mentioning it, but that has not stopped  
people from using it to undermine my case (which it doesn't if the badguy  
is using throwayay domains).


-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>