-1 --- Sent from my mobile phone
On Jul 10, 2011, at 3:58 AM, "Michael Deutschmann" <mich...@talamasca.ocis.net> wrote: > On Sun, 10 Jul 2011, Hector Santos wrote: >> Now of course, if ADSP was a standard and whitehouse.com had an >> exclusive signing policy, receivers would of rejected the junk >> distributed by Dave's list server as an ADSP violation. But ADSP is a >> pipe dream. > > The attack only matters if the user believes that forgery is impossible > because his ISP and the putative sender both "deploy ADSP" -- and thus the > fact that the message made it to his mailbox means it has to be validly > signed. (Of course, such users are suckers for messages from "0bama"...) > > Otherwise, "Obama" messages with an alternate From: (which the forger > hopes the MUA will ignore) and signature for that second From:, are no > more convincing than plain old forgeries with a single From: and no > signature at all. In fact, they can be less effective, since: > > 1. At any step on the way, the message may be rejected as a protocol > violation. > > 2. The MUA might display to the user, the From: instance that was > intended by the forger for the validator's eyes only. > > 3. The lazy validator might act on the From: instance that was intended > by the forger for the MUA to display. > > Failures (from the forger's perspective) 1 and 2 produce a result less > convincing than a simple unsigned forgery. Failure 3 produces a result > no more convincing than the simple unsigned forgery. > > ---- Michael Deutschmann <mich...@talamasca.ocis.net> > _______________________________________________ > NOTE WELL: This list operates according to > http://mipassoc.org/dkim/ietf-list-rules.html _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
