[Top] [All Lists]

Re: Spoofing revisited

2005-07-27 16:15:32

The SSP behavior below is what I meant by this message:


----- Original Message ----- From: "Arvel Hathcock" <arvel(_at_)altn(_dot_)com>
To: "ietf-mailsig" <ietf-mailsig(_at_)imc(_dot_)org>
Sent: Wednesday, July 27, 2005 5:59 PM
Subject: Re: Spoofing revisited


In the case of the example you gave joe(_dot_)user(_at_)x does not match from the signature. Therefore an SSP is required using the domain 'x' taken from joe(_dot_)user(_at_)x (the "Originator Address"). In fact, this
policy lookup is required any time the signing entity does not match the
domain of the From. The policy at domain 'x' will specify that it does not
allow "third-party signatures" and that's the end of the problem right?


----- Original Message ----- From: "Earl Hood" <earl(_at_)earlhood(_dot_)com>
To: <ietf-mailsig(_at_)imc(_dot_)org>
Sent: Wednesday, July 27, 2005 5:43 PM
Subject: Spoofing revisited

I posted concerns about DKIM's effectiveness in protecting
against spoofing:

Mike provided a response indicating that such concerns should
be addressed in the next revision of the draft(s):

However, after further examination of the Sender Signing Policy draft,
I'm not sure such concerns will be fully addressed.

Quoting from SSP:

 Sender Signing Policy Checks MUST be based on the Originator
 Address. If the message contains a valid signature on behalf of the
 Originator Address no Sender Signing Policy Check need be performed:
 the verifier SHOULD NOT look up the Sender Signing Policy and the
 message SHOULD be considered non-Suspicious.
(Sec. 4)

If this wording stays as-is, then the spoofing example I provided
will go undetected since the signature will be valid and the
verifier is not required to check the Sender Signing Policy
of the Originator Address.

Earl Hood, <earl(_at_)earlhood(_dot_)com>
Web: <>
PGP Public Key: <>

<Prev in Thread] Current Thread [Next in Thread>