> -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Michael Deutschmann > Sent: Sunday, July 10, 2011 12:53 AM > To: DKIM List > Subject: Re: [ietf-dkim] Doublefrom language should be in ADSP, not core > > The attack only matters if the user believes that forgery is impossible > because his ISP and the putative sender both "deploy ADSP" -- and thus the > fact that the message made it to his mailbox means it has to be validly > signed. (Of course, such users are suckers for messages from > "0bama"...)
I think the attack only matters if the MUA believes that the only thing ever present in the inbox is a validly-formed message, *and* the presence of a DKIM signature (regardless of signing domain) means the message is somehow more valid than one without. > Otherwise, "Obama" messages with an alternate From: (which the forger > hopes the MUA will ignore) and signature for that second From:, are no > more convincing than plain old forgeries with a single From: and no > signature at all. +1 > In fact, they can be less effective, since: > > 1. At any step on the way, the message may be rejected as a protocol > violation. Right, or have the extra From: arbitrarily removed. > 2. The MUA might display to the user, the From: instance that was > intended by the forger for the validator's eyes only. > > 3. The lazy validator might act on the From: instance that was intended > by the forger for the MUA to display. > > Failures (from the forger's perspective) 1 and 2 produce a result less > convincing than a simple unsigned forgery. Failure 3 produces a result > no more convincing than the simple unsigned forgery. +1 _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
