On Thu, 14 Oct 2010 19:01:17 +0100, Alessandro Vesely <ves...@tana.it> wrote:
> On 13/Oct/10 20:45, Scott Kitterman wrote: >> On Wednesday, October 13, 2010 12:54:23 pm Murray S. Kucherawy wrote: >>> If we can extract DKIM from the equation entirely and the problem >>> remains, >>> how is it a DKIM problem? >> >> If the DKIM signature doesn't verify after signed headers have been >> altered, >> then it's not. > > Correct. And the way that it fails to verify is h=from:from. That only works when the signature is created by the Good Guys. When the Bad Guys create signatures (using a throwaway domain), they will conveniently "forget" to do h=from:from. > > The only way that DKIM can consistently account for this exploit is by > amending section 5.5 "Recommended Signature Content", and spell what > fields MUST/SHOULD be duplicated in the h= tag. No, the only way is to amend DKIM so that the verifiers MUST/SHOULD take the right action. -- Charles H. Lindsey ---------At Home, doing my own thing------------------------ Tel: +44 161 436 6131 Web: http://www.cs.man.ac.uk/~chl Email: ...@clerew.man.ac.uk snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html