On Thu, 07 Jul 2011 15:28:09 +0100, Barry Leiba <barryle...@computer.org> wrote:
>> The signer most certainly CAN attack, but what he is attacking is not >> DKIM; rather it is the recipient, or Ebay, or lenient MTAs. DKIM is, in >> fact, his weapon of attack. > > Right, but the point is that, with DKIM (as Murray says, this attack > can be mounted with or without), the signing domain is relying on its > own reputation, not that of the "fake" From.... I think Murray is wrong. There is no benefit to the Bad Guy in using two From: fields if he is not going to sign one of them. By signing, he hopes to gain sufficient extra credibility to get through. > ... That mitigates things in > two ways: > > 1. There's really no difference between using "d=badguy.com" to sign > "From: x...@badguy.com" and then adding "From: x...@ebay.com" later, and > using "d=badguy.com" to sign "From: x...@ebay.com" in the first place. > No advice in this regard addresses the second case anyway. Oh yes there is! Because identity assessors will undoubtedly give more credence to messages where the signature domain is the same as the author (i.e.From:) domain, even if they do not go to the extent of doing full ADSP, and that is just what the BadGuy hopes will happen. And if implementors are not warned of this attack, they will tend to take a report of "signed by the domain that DKIM regards as the appropriate From:" at its face value and act accordingly. > > 2. Signers that do this will quickly get bad reputations, and will > never have had strongly good ones in the first place. It's never > eBay's reputation that's relevant here anyway. Signers who are BadGuys don't give a damn about the reputation of their domains. Having displatched a million or so phishes with "d=badguy.com", they will abandon that domain and use "d=son-of-badguy.com" for the next batch. All that can be said of the reputation of badguy.com is that it is a new domain, never seen before (but new domains are appearing all the time, and must be assumed more-or-less innocent until proven otherwise). > > Given all that, having us describe the problem is sufficient, and > that's exactly what the WG consensus has us do. Yes, but you haven't described the problem. In draft-12, the old 8.14 described this attack tolerably well (and 8.15 described my 2nd one). On that basis I was persuaded to let that draft go (just). But what we have now is worse, not better, and I regret that if that remains the case, then it can only lead to another appeal to the AD. -- Charles H. Lindsey ---------At Home, doing my own thing------------------------ Tel: +44 161 436 6131 Web: http://www.cs.man.ac.uk/~chl Email: c...@clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
