> -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Steve Atkins > Sent: Monday, October 25, 2010 12:54 PM > To: IETF DKIM WG > Subject: Re: [ietf-dkim] Proposal for new text about multiple header issues > > > I'd strike "during a replay attack" because, as some have noted, the > > attack can be constructed deliberately on an original message. > > The real risk here is that someone can present a message as signed by > someone trustworthy that has content different to that which was > provided by the trusted signer. If the entity adding the additional > content is the original signer, it may be a message composition bug, > but it's not really any sort of attack on DKIM. > > Striking "replay attack" might make it less clear what the actual risk > is, rather than more clear. > > ("... can be abused, e.g. during a replay attack, by adding ..." ?)
Isn't the more interesting attack a signature from some throwaway domain that covered a matching From: but also contained a From: indicating some high-value phish target? > > It's also not specific to MUAs. Filtering agents can be similarly > > duped. > > They can, yes, though I'm not sure that's needed to explain why this > may be a bad thing to allow. Focusing on the MUA case might inadvertently suggest to implementers of other components that this is not a concern for them. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
