he he... I see. To summarize, when the i=/d= does not match the FROM then
an SSP check is required to see if the FROM domain allows third party
signing.
--
Arvel
----- Original Message -----
From: "Earl Hood" <earl(_at_)earlhood(_dot_)com>
To: "ietf-mailsig" <ietf-mailsig(_at_)imc(_dot_)org>
Sent: Wednesday, July 27, 2005 8:54 PM
Subject: Re: Spoofing revisited
On July 27, 2005 at 17:59, "Arvel Hathcock" wrote:
In the case of the example you gave joe(_dot_)user(_at_)x does not match
d=ispoofyou.com from the signature. Therefore an SSP is required using
the
domain 'x' taken from joe(_dot_)user(_at_)x (the "Originator Address"). In fact,
this
policy lookup is required any time the signing entity does not match the
domain of the From. The policy at domain 'x' will specify that it does
not
allow "third-party signatures" and that's the end of the problem right?
Unfortunately, the mail archives address harvesting protection
messed up the example. Here it is again (which the archives will
mangle):
DKIM-Signature: a=rsa-sha1; s=whatever; d=ispoofyou.org;
c=simple; q=dns;
h=Received : From : To : Subject : Date : Message-ID;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ
VoG4ZHRNiYzR;
Received: from 10.2.3.4-example.com [10.2.3.4]
by submitserver.example.com with SUBMISSION;
Fri, 11 Jul 2003 21:01:54 -0700 (PDT)
From: Joe User <joe(_dot_)user(_at_)example(_dot_)com>
To: Suzie Q <suzie(_at_)shopping(_dot_)example(_dot_)net>
Subject: I need your help?
Date: Fri, 11 Jul 2003 21:00:37 -0700 (PDT)
Message-ID: <20030712040037(_dot_)46341(_dot_)5F8J(_at_)example(_dot_)com>
...
In the example, the i= is a sub-domain of d=, but the From is
of a different domain (and what is displayed by MUAs).
--ewh