> -----Original Message----- > From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] > On Behalf Of Charles Lindsey > Sent: Monday, July 11, 2011 3:52 AM > To: DKIM > Subject: Re: [ietf-dkim] Final update to 4871bis for working group review > > > "Agents that evaluate or apply DKIM output need to be aware that a DKIM > > signer can sign messages that are malformed (e.g., violate RFC5322), or > > become malformed in transit, or contain content that is not true or > > valid. Such an action might constitute an attack against a receiver, > > especially where additional credence is incorrectly given to a signed > > message without evaluation of the signer. Moreover, an agent would be > > incorrect to infer that all instances of a header field are signed just > > because one is. Agents will need to account for these issues when > > deciding how to apply DKIM results to message, especially when > > displaying them to users." > > OK, there is much good stuff in that. In particular, it makes it clear > that Bad Stuff can originate from the signer as well as from > men-in-the-middle and replayers. But I am still concerned that multiple > occurrences of "singleton" headers fields are not explicitly mentioned, > even as just one possible example.
That's what the "violate RFC5322" and "displaying them to users" covers. Again, I don't think it's smart to name a specific attack in case it leads one to believe that it's the only interesting one. > After all, you were seemingly happy to mention that particular trap in > 8.14 in draft-12. That this stuff is in there at all is compromise to me, so you're not quite accurate in your use of "happy". > Not sure about the word "incorrectly", but s/without evaluation/without > adequate evaluation/ might make your point better. Though I expect, of the > millions of perfectly legitimate domains that will exist without special > recognition in any reputation system, it will be hard to spot a newly > appearing 'badguy' one. I don't think conversation about how reputation is applied is in scope; some systems could be used to give preferential treatment to good actors, some negative treatment to bad actors, some both. > I still don't think that paragraph is what we really need, but I will > withold judgement on that until I see how it gets incorporated into the > other bits of text that are around. Given that today's the deadline, we will have to go with something like this or nothing at all (which in fact I would prefer because I think all of this is adequately covered by existing text, and I believe consensus and the AD concurs), so withhold judiciously. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html