--On 16 September 2010 09:49:40 -0700 "Murray S. Kucherawy" <m...@cloudmark.com> wrote:
>> -----Original Message----- >> From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim- >> boun...@mipassoc.org] On Behalf Of Ian Eiloart >> Sent: Thursday, September 16, 2010 3:20 AM >> To: Hector Santos; ietf-dkim@mipassoc.org >> Subject: Re: [ietf-dkim] draft-vesely-dkim-joint-sigs >> >> I don't think so. The original signature should only sign the DKIM- >> required >> and From headers, and perhaps enough other headers to reduce utility of >> replay attacks. Importantly, they should only sign parts that are >> likely to >> be unbroken by the MLM, thus satisfying ADSP requirements. However, the >> recipient knows that a valid signature from the MLM is required, too. >> Thus, >> the original DKIM signature is only valid for messages going through >> the >> list - off list replay isn't possible. On-list replay can be limited by >> ALSO including a full DKIM signature, for the list to check before >> redistributing. > > I'm worried about that third sentence. If people are encouraged not to > sign Subject:, for example, which is a popular display header field, one > could spamify that field and re-send the message. > > If you subscribe to the idea that a DKIM signature reflects a domain > taking some responsibility for a message, I'd have a hard time not > signing Subject: (or From:) for any reason. > I guess for this to work, the MLM admin needs to be looking for a good full signature. Lists that don't rewrite the subject are going to work better here, but more serious is the lack of signature for the body. Still, the attack that you describe is fairly esoteric, and targetted specifically to the list (remember, the sender can add a list-id header, and sign that!) It may be too expensive to be profitable. -- Ian Eiloart IT Services, University of Sussex 01273-873148 x3148 For new support requests, see http://www.sussex.ac.uk/its/help/ _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
