On Wed, 06 Oct 2010 13:00:25 +0100, Steve Atkins <st...@wordtothewise.com> wrote:
> On Oct 6, 2010, at 1:47 AM, Mark Delany wrote: >> Right. We could attempt to enumerate the 1,000 edge-cases we know >> today and then re-bis 4871 for the additional 1,000 edge-cases we >> learn tomorrow, or we could simply say that invalid 2822 messages >> MUST never verify and call it a day. > > To comply with that MUST every DKIM verifier would have to > include a full 5322 verifier. That's a fairly high bar. No, that is not true, as I have demonstrated in the text I have proposed. You only need to look at whatever headers are actually mentioned in the "h=" tag of the signature, and you only need to verify those properties of those headers that could lead to trouble, and that would seem to be a simple count of the number of occurrences of those headers. That is actually quite a low bar. > Either the message has a valid DKIM signature, or it does not. > If the signature is valid, then the signing domain takes responsibility > for the message, subtly malformed or not. Just because the message > lacks a Date: header or has bare linefeeds doesn't mean that the > signing domain isn't responsible for it. The signing domain can only take responsibility for the message it signs. It cannot take responsibility for slightly altered copies of the message that get used in replay attacks. It is DKIM's job to detect such cases, and in the case of the particular scam under discussion it would be quite simple for it to do so. -- Charles H. Lindsey ---------At Home, doing my own thing------------------------ Tel: +44 161 436 6131 Web: http://www.cs.man.ac.uk/~chl Email: ...@clerew.man.ac.uk snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
