On Sat, 2006-08-26 at 22:29 -0400, Wietse Venema wrote: > None of these loopholes would exist if d= domains were required to > match rfc822.from domains (*). Third party signatures are part of > the problem. Making them "work right" requires additional complexity. > Complexity leads to error, vulnerability and exploitation.
No. Look-alike exploits exist without designated domains. Any protection from a look-alike attack requires annotation that indicates when the 2822.From address has been assured as being valid, and when this address is also in the address book. Increasing the number of situation where 2822.From address validation is conveyed improves the protections afforded by DKIM. This is a specious argument against designated domains. The MUA or the ISP can decide not to offer any annotation related to 2822.From policy related assurances when they think it is unsafe. Seldom does less information improve security however. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
