Wietse Venema:
> Hector Santos:
> > > A bad actor can register look-alike domains and added their own DKIM
> > > signature sent through any number of providers. Designation does not
> > > make this problem worse. With the entire email-address being
> > > internationalized, a problem of visual recognition must be handled
> > > through other strategies.
> >
> > What Frank is saying is the ISP.COM has all power to control this and
> > protect his users from direct DKIM phish attacks in a very elegant and
> > graceful manner using SSP.
> >
> > Example:
Apologies. Let me phrase this better.
None of these loopholes would exist if signatures could vouch only
for rfc822.from domains that match the signature's d= domain (*).
Third party signatures are part of the problem. Making them "work
right" requires additional complexity. Complexity leads to error,
vulnerability and exploitation.
Wietse
(*) This is possible even when the signer is in a different domain.
All they need is the private key that matches the public key
in the d= DNS record. That record can, but does not have to,
be CNAME delegated to the signer's DNS.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
