On Thu, 07 Jul 2011 22:06:29 +0100, Murray S. Kucherawy <[email protected]> wrote:
> My favourite counterexample, which I've used many times already, is > Mailman. It doesn't even check DKIM signatures, but you can still fake > your way through its authorization process such that a different From: > is shown to the user for some MUAs. Can you please give me a pointer to that? > > This still supports the notion that we fear people will misapply DKIM > results as the basis for the attack. Your proposed changes here won't > remedy that. > >> Oh yes there is! Because identity assessors will undoubtedly give more >> credence to messages where the signature domain is the same as the >> author >> (i.e.From:) domain, even if they do not go to the extent of doing full >> ADSP, and that is just what the BadGuy hopes will happen. > > Whose? Mine don't, and the text doesn't support that notion either. If DKIM is not intended to give added credance to messages, then what on earth is its purpose at all. Yes, it needs to be interpreted with care and understanding, and our Security Considerations are the vehicle for improving that understanding. I suspect may assessors will use a scoring system (like Spamassassin), where a signed message, even from a totally unknown domain, will add some positive contribution. >> Signers who are BadGuys don't give a damn about the reputation of their >> domains. Having displatched a million or so phishes with "d=badguy.com", >> they will abandon that domain and use "d=son-of-badguy.com" for the next >> batch. All that can be said of the reputation of badguy.com is that it >> is >> a new domain, never seen before (but new domains are appearing all the >> time, and must be assumed more-or-less innocent until proven >> otherwise). > > Certainly true, and certainly fodder for a BCP for using DKIM or even > reputation, but not for the DKIM protocol specification (especially > since we declared reputation out-of-scope ages ago). Yes, it is out of scope to suggest mentioning it, but that has not stopped people from using it to undermine my case (which it doesn't if the badguy is using throwayay domains). -- Charles H. Lindsey ---------At Home, doing my own thing------------------------ Tel: +44 161 436 6131 Web: http://www.cs.man.ac.uk/~chl Email: [email protected] Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
