On Mon, 11 Oct 2010 23:05:13 +0100, Wietse Venema <wie...@porcupine.org> wrote:
> Charles Lindsey: >> > When the bad guy sends mail with (multiple) forged headers, the >> > best they can get is that naive mail programs render their forged >> > header with an indication that THE BAD GUY'S DKIM SIGNATURE VERIFIED. >> > >> > Sending forged headers with bad guy's DKIM signatures is not an >> > interesting attack on DKIM. >> >> On the contrary, it is an exceedingly interesting attack. Note that Wietse is replying to a message that I mistakenly sent to him offlist. I have now reposted that messqge for all to see. > > If you believe that sending mail with a valid bad guy signature is > an interesting attack on DKIM, then that implies that you're willing > to believe mail that is signed by arbitrary strangers. That is a > problem that DKIM is not designed to solve. The average naive user never gets the chance to be willing or not to believe mail that is signed by arbitrary strangers, for the simple reason that his MUA does not routinely display any headers that mention signatures at all. All he sees is a message apparently From a known genuine ebay address (his MUA happens not to show the second From placed there by the phisher). Worse, he may be vaguely aware that his provider/boundary implements some amazing crypto stuff that purportedly guarantees that forged email From genuine ebay addresses will be stopped, and that will reinforce his belief that the message he saw is genuine. And yet the tests provided by his provider/boundary are 100% 4871 compliant. Surely this shows that there is something seriously wrong with 4871, which is clearly not providing the service it was supposed to. -- Charles H. Lindsey ---------At Home, doing my own thing------------------------ Tel: +44 161 436 6131 Web: http://www.cs.man.ac.uk/~chl Email: ...@clerew.man.ac.uk snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html