Earl Hood wrote:
On July 20, 2005 at 10:22, Thomas Roessler wrote:
According to section 5.2.2, signing the From header is mandatory.
Hence, if the advice from section 6.6. was applied, DKIM signatures
would be invalidated. User agents would no longer be able to verify
the binding between the signing address (if different from the From
address) and the message.
Good point.
More thought is definitely needed here since there are definite
security implications. I made a suggestion about having
a DKIM-From in a separate post discussing sender spoofing, but
I'm unsure how it will be received.
This is one of the reasons for copied headers in the old IIM draft. It
made it possible for a verifier to "mark up" the From address; a later
verifier could use the copy of that address for verification and as a
starting point to do a mark-up of its own. By making it part of the
signature header itself, it guaranteed its association with the
signature as well as making sure it's signed.
Another issue arises with MUAs that only display the display-name of the
address to the user. The recipient might still be fooled by:
From: "BigBank Security Department"
<snidely(_dot_)whiplash(_at_)example(_dot_)com>
so there might be times when it's even necessary to mark up a message
with a first-party signature.
Note that I'm not really trying to push the copied-header concept, just
pointing out some similarities. Marking up the From address is
definitely ugly, and absent MUAs that are signature-aware I wish I could
think of a better alternative.
-Jim