On Fri, Feb 10, 2023 at 1:29 PM Michael Thomas <m...@mtcc.com> wrote:
> > On 2/10/23 10:23 AM, Wei Chuang wrote: > > Hi all, > I've posted an updated version of the draft-chuang-dkim-replay-problem-01 > <https://datatracker.ietf.org/doc/draft-chuang-dkim-replay-problem/01/> > draft. It cleans up a lot from the -00 rough draft state so hopefully it's > more clear. It builds a case that spammers are exploiting DKIM through > replay, identifies conflicting scenarios, and outlines a solution space. > > > | taking advantage of the flexibility in DKIM to > | selectively sign headers, the spammer may intentionally leave out > | certain headers such as To:, and Subject: that can be added in later > | without damaging the existing DKIM signature. > > > I think this needs to be explained. It isn't obvious to me how they would > manage to do that. The header fields signed are under control of the > signer, not the original author. How do the attackers coax the provider's > signer into not signing certain fields? > By leaving them out. Many DKIM signers, having observed this vulnerability, have started oversigning headers to prevent that. -Wei > > Mike > _______________________________________________ > Ietf-dkim mailing list > Ietf-dkim@ietf.org > https://www.ietf.org/mailman/listinfo/ietf-dkim >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim
