On July 20, 2005 at 13:31, Michael Thomas wrote:
What prevents a malicious domain from spoofing a sender's address?
I.e. Is there anything in DKIM that (effectively) prevents a malicious
domain from using my personal address, or any one elses address?
This was -- and continues to be -- the subject of much debate. The
compromise
was to have the mechanics for binding the dkim address (eg i=) to outside
addresses (eg From) addressed in the signing policy draft. Due to time
constraints,
the text that was in DKIM base did not make it into ssp, but it should
go back in the next rev.
Okay. I'll review the next rev when it comes out.
Scanning the sender signing policy draft, I'm still not sure if
it will cover my concerns. I still think what I suggested
earlier:
DKIM is modified to handle better when the From: is different from
the signed address. Validators may be REQUIRED to replace From:
with the signed address, or consider such messages in error.
Since DKIM does not support the signed address from being in a
different domain from the signer's domain, then, maybe, different
domain From addresses should not be allowed.
And/or, the use of something like DKIM-From.
This avoids the reliance of each individual person on the Net to
establish a sender signing policy. I think spoofing attacks should
be addressed without relying on sender signing policies.
I think that the longer term answer with resigners (eg, mailing lists)
is that
they want to preserve the original DKIM signature bound to the From
address as well as resign it themselves.
Why? I'm not sure there is any real value for list to preserve
the original signature.
--ewh