Dave CROCKER wrote: > > On 10/11/2010 3:05 PM, Wietse Venema wrote: >> If you believe that sending mail with a valid bad guy signature is >> an interesting attack on DKIM, then that implies that you're willing >> to believe mail that is signed by arbitrary strangers. > > > Well... > > But it's not an attack on DKIM. > > It's not really an 'attack' on anything, but the most one could claim is that > it's an attack on the recipient's reputation data base, or failure to use one. > > The DKIM part is used correctly and works fine. So there's no 'attack'.
Thats "poster framing" material. I sure hope you are right. After all, President Obama did get by your defenses on your list. No Signature, Double From ---> Trapped/rejected by mipassoc.org DKIM signed Double From ----> Accepted, Resigned by mipassoc.org So without DKIM, 100% RFC5322 compliant - trapped multiple 5322.From headers. With DKIM, there is a loophole. Go figure. Lets hope this DKIM exploit does not become common place and surprises a bunch of layman operators. At the point, you can say you were aware about it. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
