On 7/12/11 12:02 PM, Charles Lindsey wrote:
Essentially, my concern is that an implementor reading this section should
be able to infer the nature of the particular attack I have described (the
one where the signer is the BadGuy himself using a throwaway domain),
including spotting how and why it worked and how to protect against it.
Having now read your paragraph in the context of the rest of the material
in that section, I think it just about passes that test, but only by the
thinnest of margins, so I will let it go.
But as a piece of technical writing that section is a total mess, talking
around the problem, and seemingly more concerned with enabling timid
implementors to pass the buck around amongst themselves that with
protecting the ultimate users.
I see Doug has written a detailed critique of it, and I fully endorse most
of what he has said.
Charles,
IMHO, the issue was never about throw-away domains. Without universal
adoption of the recently invented and poorly considered 'h=' double
tagging hack, any domain reputation based upon not sending spam or
spoofing messages place all recipients of messages from ANY domain at
risk whenever illegal header fields are ignored during DKIM validation
regardless of ADSP like policy being applied.
The lack of universal adoption of 'h=' double tagging hack places
senders and recipients at risk. This risk should be seen as an assault
against the entire DKIM protocol. Steps needed to mitigate the risk
represent less process and resource overhead than the poorly considered
double tagging hack. The double tagging hack might assist in a
transition toward better validation enforcement, but without invalid
header checks made during validation, the requisite protections that
might have been afforded through ADSP like policy or through signing
domain reputation is lost.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html