ietf-mailsig
[Top] [All Lists]

Re: The cost of choices

2005-07-27 19:34:55

On July 27, 2005 at 19:31, "Arvel Hathcock" wrote:

Yes, this is correct and is the mechanism preventing an attacker from 
spoofing your domain in the From header and signing with his own key thereby 
possibly making the recipient assume you sent a signed message.

YES!  However, this checking currently goes contrary to the wording
of the SSP draft.  If the signature is valid, doing a SSP lookup
is not required.

To deal with the above scenario, SSP lookup must always be done,
even if the signature is valid.

--ewh

<Prev in Thread] Current Thread [Next in Thread>