On 2/10/23 10:23 AM, Wei Chuang wrote:
Hi all,
I've posted an updated version of the
draft-chuang-dkim-replay-problem-01
<https://datatracker.ietf.org/doc/draft-chuang-dkim-replay-problem/01/>
draft. It cleans up a lot from the -00 rough draft state so hopefully
it's more clear. It builds a case that spammers are exploiting DKIM
through replay, identifies conflicting scenarios, and outlines a
solution space.
| taking advantage of the flexibility in DKIM to
| selectively sign headers, the spammer may intentionally leave out
| certain headers such as To:, and Subject: that can be added in later
| without damaging the existing DKIM signature.
I think this needs to be explained. It isn't obvious to me how they
would manage to do that. The header fields signed are under control of
the signer, not the original author. How do the attackers coax the
provider's signer into not signing certain fields?
Mike
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim
