THIS IS A MULTIPLE 5322.FROM SPOOFED MESSAGE
It has been observed by implementations that is it possible to replay
a message with a 2nd 5322.From header at the top which wouldn't break
the DKIM signature validity, but would often be displayed by MUAs to
display the new 5322.From display
President Obama wrote:
> [...]
Funny, but this shows nothing because mipassoc.org resigns messages
(d=mipassoc.org). (Oh, and it even included *two* "From"s in h= on your
message.)
> I propose the following addition text by adding to 48721bis to address
> this serious issue;
>
>Special Co
Julian Mehnle wrote:
> President Obama wrote:
>
>> [...]
>
> Funny, but this shows nothing because mipassoc.org resigns messages
> (d=mipassoc.org). (Oh, and it even included *two* "From"s in h= on your
> message.)
Right. Does this add "signer" reputation weight for the injected
5322.From?
Hector Santos wrote:
> Right. Does this add "signer" reputation weight for the injected
> 5322.From?
Probably not. AFAICT mipassoc.org doesn't verify DKIM sigs on list
messages, and even if it did, a verified DKIM sig (such as one created by
the original author of the message) doesn't tell any
Again, please don't CC me. I'm subscribed to the list.
Stephen Farrell wrote:
> On 05/10/10 23:54, Julian Mehnle wrote:
> > Recommending that one more "From" be added to h= (and hashed)
> > than From headers are initially placed in the message should be
> > enough. There is no need to change the
Hector Santos wrote:
> I would not be surprised if testing this with gmail.com shows the same
> thing which the online gmail MUA will have an indicator:
>
> signed by: some signer domain
>
> but will it display the injected spoofed unbounded 5322.From?
For the records, from my gmail testi
Julian Mehnle wrote:
> Hector Santos wrote:
>
>> Right. Does this add "signer" reputation weight for the injected
>> 5322.From?
>
> Probably not.
How do you know what the heuristic systems are doing?
> AFAICT mipassoc.org doesn't verify DKIM sigs on list
> messages,
it does. It verifi
On 05/10/10 23:54, Julian Mehnle wrote:
> Recommending that one more "From" be added to h= (and hashed)
> than From headers are initially placed in the message should be enough.
> There is no need to change the semantics of the spec.
Assuming that "recommending" above maps to a (putative)
"MU
Stephen Farrell wrote:
>
> On 05/10/10 23:54, Julian Mehnle wrote:
>> Recommending that one more "From" be added to h= (and hashed)
>> than From headers are initially placed in the message should be enough.
>> There is no need to change the semantics of the spec.
>
> Assuming that "recommendin
> PS: Note that I'm saying nothing about whether or not this
> issue should be mentioned in 4871bis.
FWIW:
Adding to a specification, by trying to protect against behavior that is
already
illegal is wasteful, redundant and opens the door to an infinite path of
similarly unnecessary provis
On Tue, Oct 05, 2010 at 10:31:32PM -0400, Dave CROCKER allegedly wrote:
>
>
>
> > PS: Note that I'm saying nothing about whether or not this
> > issue should be mentioned in 4871bis.
>
>
> FWIW:
>
> Adding to a specification, by trying to protect against behavior that is
> already
> illegal
> -Original Message-
> From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org]
> On Behalf Of Mark Delany
> Sent: Tuesday, October 05, 2010 8:06 PM
> To: ietf-dkim@mipassoc.org
> Subject: Re: [ietf-dkim] THIS IS A MULTIPLE 5322.FROM MESSAGE
>
>
Hi Stephen,
At 16:46 05-10-10, Stephen Farrell wrote:
>Assuming that "recommending" above maps to a (putative)
>"MUST/SHOULD" statement in 4871bis, I'd be interested in
>opinions as to whether such a change might slow progress
>to draft standard, or be detrimental to current deployments.
Such a ch
> > That this is not in 4871 seems to be mostly a WG assumption that
> > should be made explicit.
>
> I think several of us thought it was in there, but on review it apparently
> was indeed lost somewhere along the way. We've certainly, as I understand
> it, been proceeding from that assumption
Mark Delany wrote:
>>> That this is not in 4871 seems to be mostly a WG assumption that
>>> should be made explicit.
>> I think several of us thought it was in there, but on review it apparently
>> was indeed lost somewhere along the way. We've certainly, as I understand
>> it, been proceeding f
cherawy
> Sent: Wednesday, October 06, 2010 1:22 AM
> To: ietf-dkim@mipassoc.org
> Subject: Re: [ietf-dkim] THIS IS A MULTIPLE 5322.FROM MESSAGE
>
> > -Original Message-
> > From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-
> boun...@mipassoc.org] On Beha
On Mon, 04 Oct 2010 23:24:11 +0100, President Obama
wrote:
>THIS IS A MULTIPLE 5322.FROM SPOOFED MESSAGE
Interestingly, my MUA (Opera) displayed both of those From headers, But I
can quite well understand that many other MUAs don't, and even where they
do I would expect many ph
> -Original Message-
> From: MH Michael Hammer (5304) [mailto:mham...@ag.com]
> Sent: Wednesday, October 06, 2010 12:20 AM
> To: Murray S. Kucherawy; ietf-dkim@mipassoc.org
> Subject: RE: [ietf-dkim] THIS IS A MULTIPLE 5322.FROM MESSAGE
>
> So, my belief is that thi
On 06/Oct/10 01:59, Julian Mehnle wrote:
> As I've written in my previous mail I think there's a better way to solve
> this (non-)issue. Just s/Comments/From/ in that INFORMATIVE NOTE on page
> 41 of 4871bis-01.
+1, I quote the resulting text
INFORMATIVE NOTE: A header field name need only
Mark Delany:
> > > That this is not in 4871 seems to be mostly a WG assumption that
> > > should be made explicit.
> >
> > I think several of us thought it was in there, but on review it apparently
> > was indeed lost somewhere along the way. We've certainly, as I understand
> > it, been procee
On Oct 6, 2010, at 1:47 AM, Mark Delany wrote:
>>> That this is not in 4871 seems to be mostly a WG assumption that
>>> should be made explicit.
>>
>> I think several of us thought it was in there, but on review it apparently
>> was indeed lost somewhere along the way. We've certainly, as I un
On 10/6/2010 8:00 AM, Steve Atkins wrote:
> It also changes what DKIM means,
...
> Either the message has a valid DKIM signature, or it does not. If the
> signature is valid, then the signing domain takes responsibility for the
> message, subtly malformed or not. Just because the message lacks a
Either the message has a valid DKIM signature, or it does not.
If the signature is valid, then the signing domain takes responsibility
for the message, subtly malformed or not. Just because the message
lacks a Date: header or has bare linefeeds doesn't mean that the
signing domain isn't responsibl
> I don't think that's a fair characterization. It is simply wrong to try to
> deal this problem in DKIM. For example, a bug in the TCP stack that causes
> malformed data to arrive in an application which in turn causes something
> visible and unexpected, possibly even something dangerous, to
> -Original Message-
> From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org]
> On Behalf Of John R. Levine
> Sent: Wednesday, October 06, 2010 6:17 AM
> To: Steve Atkins
> Cc: DKIM List
> Subject: Re: [ietf-dkim] THIS IS A MULTIPLE 5322.FROM MES
On 10/6/2010 9:17 AM, John R. Levine wrote:
> Is it DKIM's job to make the verification fail, or is it an MUA's job to do
> something reasonable with malformed messages?
At one level, that's merely an implementation choice. At another level, it is
a
question of whether conformance enforcement
> -Original Message-
> From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org]
> On Behalf Of Dave CROCKER
> Sent: Wednesday, October 06, 2010 7:02 AM
> To: John R. Levine
> Cc: DKIM List
> Subject: Re: [ietf-dkim] THIS IS A MULTIPLE 5322.FROM ME
On Wed, Oct 6, 2010 at 9:15 AM, Dave CROCKER wrote:
>
>
> On 10/6/2010 8:00 AM, Steve Atkins wrote:
>> It also changes what DKIM means,
> ...
>> Either the message has a valid DKIM signature, or it does not. If the
>> signature is valid, then the signing domain takes responsibility for the
>> mess
of this".
Mike
-Original Message-
From: ietf-dkim-boun...@mipassoc.org on behalf of Murray S. Kucherawy
Sent: Wed 10/6/2010 8:13 AM
To: ietf-dkim@mipassoc.org
Subject: Re: [ietf-dkim] THIS IS A MULTIPLE 5322.FROM MESSAGE
> -Original Message-
> From: MH Michael Hammer (5304)
org
>> Subject: Re: [ietf-dkim] THIS IS A MULTIPLE 5322.FROM MESSAGE
>>
>> There was an assertion in RFC4780 about "conforming emails" that must
>> only have a single 2822.From header. That got lost in the translation
>> to 4781 I guess. Unfortunately, 4780 faile
Charles Lindsey wrote:
> On Mon, 04 Oct 2010 23:24:11 +0100, President Obama
> wrote:
>
>>THIS IS A MULTIPLE 5322.FROM SPOOFED MESSAGE
>
> Interestingly, my MUA (Opera) displayed both of those From headers, But I
> can quite well understand that many other MUAs don't, and even wh
"Dave CROCKER" wrote:
>
>
>On 10/6/2010 8:00 AM, Steve Atkins wrote:
>> It also changes what DKIM means,
>...
>> Either the message has a valid DKIM signature, or it does not. If the
>> signature is valid, then the signing domain takes responsibility for the
>> message, subtly malformed or not.
On Oct 6, 2010, at 3:01 PM, Scott Kitterman wrote:
>
>
> "Dave CROCKER" wrote:
>
>>
>>
>> On 10/6/2010 8:00 AM, Steve Atkins wrote:
>>> It also changes what DKIM means,
>> ...
>>> Either the message has a valid DKIM signature, or it does not. If the
>>> signature is valid, then the signing
> "Dave CROCKER" wrote:
>> In particular, it makes the multiple From: issue entirely
>> irrelevant to DKIM.
Scott Kitterman wrote:
> In a normative sense, perhaps, but in real world terms, it doesn't.
> Since this does away with "It's not valid 5322, so it can't
> be valid DKIM", it puts the
On 10/6/2010 1:57 PM, MH Michael Hammer (5304) wrote:
>
> Apologies all for top posting. Having to use a different client due to
> technical difficulties.
>
> Murray, I'm violently agreeing with you that it is not strictly
> speaking a 4871 issue.
>
> Having said that, I believe that it is an iss
IMHO, a user who would be fooled by your:
> From: President Obama
> From: Hector Santos
would also likely be fooled by:
> From: President Obama
The latter problem is a hole DKIM just can't plug. At least the
dual-From: trick is an easy signature to add to a content filter.
By the way, the
On Wed, 06 Oct 2010 18:57:10 +0100, MH Michael Hammer (5304)
wrote:
> If the consensus is that it is a problem but not really a 4871 problem
> then do we just walk away from it and leave it at that - "not our
> problem"? Should we perhaps look for the place where the 5322 people
> roost (
On Wed, 06 Oct 2010 13:00:25 +0100, Steve Atkins
wrote:
> On Oct 6, 2010, at 1:47 AM, Mark Delany wrote:
>> Right. We could attempt to enumerate the 1,000 edge-cases we know
>> today and then re-bis 4871 for the additional 1,000 edge-cases we
>> learn tomorrow, or we could simply say that inva
On 10/07/2010 03:40 AM, Charles Lindsey wrote:
> On Wed, 06 Oct 2010 13:00:25 +0100, Steve Atkins
> wrote:
>
>> On Oct 6, 2010, at 1:47 AM, Mark Delany wrote:
>
>>> Right. We could attempt to enumerate the 1,000 edge-cases we know
>>> today and then re-bis 4871 for the additional 1,000 edge-cases w
Michael Thomas wrote:
> On 10/07/2010 03:40 AM, Charles Lindsey wrote:
>> On Wed, 06 Oct 2010 13:00:25 +0100, Steve Atkins
>> wrote:
>>
>>> On Oct 6, 2010, at 1:47 AM, Mark Delany wrote:
Right. We could attempt to enumerate the 1,000 edge-cases we know
today and then re-bis 4871 for the
> -Original Message-
> From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org]
> On Behalf Of Michael Thomas
> Sent: Thursday, October 07, 2010 9:09 AM
> To: Charles Lindsey
> Cc: DKIM
> Subject: Re: [ietf-dkim] THIS IS A MULTIPLE 5322.FROM MESSAG
Cc: DKIM
>> Subject: Re: [ietf-dkim] THIS IS A MULTIPLE 5322.FROM MESSAGE
>>
>> I'm with Steve on this one. Forcing implementations of DKIM to
>> determine whether a message is compliant is a pretty high bar. I
>> for one wouldn't be in any particular big hur
Michael Thomas wrote:
>> Generally I agree, but does saying "verification is undefined" satisfy those
>> concerned that this is a security vulnerability? The example of
>> double-From: shows verification succeeds. It's the interpretation of those
>> results that is the problem.
>
> These are
> -Original Message-
> From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org]
> On Behalf Of Charles Lindsey
> Sent: Thursday, October 07, 2010 3:50 AM
> To: DKIM
> Subject: Re: [ietf-dkim] THIS IS A MULTIPLE 5322.FROM MESSAGE
>
> B
At 10:57 06-10-10, MH Michael Hammer (5304) wrote:
>the place where the 5322 people roost (I hear that working group
>shut down as part of IETF reorg) and at least say... "hey, this came
>up in the context of 4871 and we believe
That working group did not shut down; it took a pause.
At 11:50 06
Hi SM,
> -Original Message-
> From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org]
> On Behalf Of SM
> Sent: Thursday, October 07, 2010 1:02 PM
> To: ietf-dkim@mipassoc.org
> Subject: Re: [ietf-dkim] THIS IS A MULTIPLE 5322.FROM MESSAGE
>
&g
Hi Murray,
At 13:08 07-10-10, Murray S. Kucherawy wrote:
>Even so, as Charles pointed out, I'm not sure exactly what it is we
>could ask them to change.
RFC 5322 specifies a format for Internet mail. I don't see what
could be changed in there as this discussion is not about an issue
with the f
On 10/7/2010 4:18 PM, SM wrote:
> RFC 5322 specifies a format for Internet mail. I don't see what
> could be changed in there as this discussion is not about an issue
> with the format.
5321 and 5322 are component specifications, although of course they do have
/some/ systems integrative text
On Thu, 07 Oct 2010 19:18:19 +0100, Michael Thomas wrote:
> The larger issue here is would anybody rush out to close this MUST.
> I think that it is highly unlikely that anybody is going to care at this
> point. That goes for *any* new MUST, IMO: unless it's really a serious
> protocol endangerin
--On 8 October 2010 15:38:46 +0100 Charles Lindsey
wrote:
> On Thu, 07 Oct 2010 19:18:19 +0100, Michael Thomas wrote:
>
>> The larger issue here is would anybody rush out to close this MUST.
>> I think that it is highly unlikely that anybody is going to care at this
>> point. That goes for *a
> -Original Message-
> From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org]
> On Behalf Of Ian Eiloart
> Sent: Monday, October 11, 2010 2:36 AM
> To: Charles Lindsey; DKIM
> Subject: Re: [ietf-dkim] THIS IS A MULTIPLE 5322.FROM MESSAGE
>
&g
51 matches
Mail list logo
