In the case of the example you gave joe(_dot_)user(_at_)x does not match
d=ispoofyou.com from the signature. Therefore an SSP is required using the
domain 'x' taken from joe(_dot_)user(_at_)x (the "Originator Address"). In
policy lookup is required any time the signing entity does not match the
domain of the From. The policy at domain 'x' will specify that it does not
allow "third-party signatures" and that's the end of the problem right?
----- Original Message -----
From: "Earl Hood" <earl(_at_)earlhood(_dot_)com>
Sent: Wednesday, July 27, 2005 5:43 PM
Subject: Spoofing revisited
I posted concerns about DKIM's effectiveness in protecting
Mike provided a response indicating that such concerns should
be addressed in the next revision of the draft(s):
However, after further examination of the Sender Signing Policy draft,
I'm not sure such concerns will be fully addressed.
Quoting from SSP:
Sender Signing Policy Checks MUST be based on the Originator
Address. If the message contains a valid signature on behalf of the
Originator Address no Sender Signing Policy Check need be performed:
the verifier SHOULD NOT look up the Sender Signing Policy and the
message SHOULD be considered non-Suspicious.
If this wording stays as-is, then the spoofing example I provided
will go undetected since the signature will be valid and the
verifier is not required to check the Sender Signing Policy
of the Originator Address.
Earl Hood, <earl(_at_)earlhood(_dot_)com>
PGP Public Key: <http://www.earlhood.com/gpgpubkey.txt>