On 10/15/10 2:10 PM, Wietse Venema wrote: > MH Michael Hammer (5304): > >> On Friday, October 15, 2010 11:59 AM, Bill Oxley wrote: > >> > >> Well a broken signature is morally equivalent to unsigned so Im > >> not sure of the potential harm... > > > > And this is where I angst. In all the discussions of a broken > > signature being morally equivalent to unsigned, the thrust has been > > that it was likely broken in transit. We failed to have the > > discussion of it being intentionally broken in transit as an > > attempt to game the system. For header mutations after signing > > (which are likely to be a malicious attempt in the specific cases > > we have been discussing) I feel that treating it as simply the same > > as unsigned is ignoring the potential maliciousness. > > I'm sure this was discussed before, but perhaps a refresher helps. > How would the DKIM validator know the difference between: > > A: The message had a valid signature, but it was broken after > signing. > > B: The message is a forgery with a bogus signature. > > If the DKIM validator cannot make that distinction, then the bad guys > will do B and the validator will treat it as A.
Email is not handled in one step. Upstream processes may improperly handle messages on the basis of DKIM where a signature might be improperly considered valid with an unsigned pre-pended From header field. This would be due to the verification process not being explicit. Had the process been explicit, it is likely the message would have been refused. It is not safe to assume prior processing would have considered such a message to have had an invalid signature. The best method to handle this situation would be to refuse the message. An invalid signature without multiple From header fields is considerably different and has many innocuous causes. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
