-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Michael
Deutschmann
Sent: Sunday, July 10, 2011 12:53 AM
To: DKIM List
Subject: Re: [ietf-dkim] Doublefrom language should be in ADSP, not core
The attack only matters if the user believes that forgery is impossible
because his ISP and the putative sender both "deploy ADSP" -- and thus the
fact that the message made it to his mailbox means it has to be validly
signed. (Of course, such users are suckers for messages from
"0bama"...)
I think the attack only matters if the MUA believes that the only thing ever
present in the inbox is a validly-formed message, *and* the presence of a DKIM
signature (regardless of signing domain) means the message is somehow more
valid than one without.
Otherwise, "Obama" messages with an alternate From: (which the forger
hopes the MUA will ignore) and signature for that second From:, are no
more convincing than plain old forgeries with a single From: and no
signature at all.
+1
In fact, they can be less effective, since:
1. At any step on the way, the message may be rejected as a protocol
violation.
Right, or have the extra From: arbitrarily removed.
2. The MUA might display to the user, the From: instance that was
intended by the forger for the validator's eyes only.
3. The lazy validator might act on the From: instance that was intended
by the forger for the MUA to display.
Failures (from the forger's perspective) 1 and 2 produce a result less
convincing than a simple unsigned forgery. Failure 3 produces a result
no more convincing than the simple unsigned forgery.
+1
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html