> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:ietf-dkim- > [EMAIL PROTECTED] On Behalf Of Charles Lindsey > Sent: Friday, April 11, 2008 12:10 PM > To: DKIM > Subject: [ietf-dkim] Fwd: Re: New Issue: protecting a domain name > vs.protecting a domain tree > > On Wed, 09 Apr 2008 19:27:27 +0100, Dave Crocker <[EMAIL PROTECTED]> wrote: > > > Eric Allman wrote: > >> Dave, I'm not understanding how the algorithm can work if you omit step > >> 2 from section 4.2.2. > > > The attack that you describe requires using some name other than the one > > that is > > listed. The single, specific name that is listed is, indeed, > > "protected". > > Sure, if a phisher includes > From: [EMAIL PROTECTED] > then SSP/DKIM will catch him. > > If the phisher includes > From: [EMAIL PROTECTED] > then we know that SSP/DKIM cannot catch him, and there is not much we can > do about that other than to advise phishees to read From headers _very_ > carefully. > > But if the phsher includes > From: [EMAIL PROTECTED] > where the domain mailout.ebay.com does not exist, then it needs to be > caught somehow, since the phishee will look at it _very_ carefully and > will find it perfectly reasonable (as indeed it is). > > So if we cannot arrange that mailout.ebay.com is not caught by some > sub-domain mechanism within SSP, then we at leaast need to say, perhaps > non-normatively: > > "Although it is impossible to obtain an SSP record for a non-existant > sub-domain of a protected domain, verifiers might well choose to to > reject/discard/whatever messages with non-existent domains in From headers > as a matter of policy quite separate from their policies arising from > SSP/DKIM." > > >
This is one of the reasons that I raised the question of whether it is possible to find the "base" domain (not TLD) that the organization controls. If this is possible then we may have the ability for ADSP to assert that all sub-domains in a tree only send mail that is DKIM signed. If this is not possible to do then I don't know that non-existent sub-domains can be protected by DKIM/ADSP. Mike _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
