[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Spoofing revisited
On Wed, 27 Jul 2005, Earl Hood wrote:
DKIM-Signature: a=rsa-sha1; s=whatever; d=ispoofyou.org;
h=Received : From : To : Subject : Date : Message-ID;
Received: from 10.2.3.4-example.com [10.2.3.4]
by submitserver.example.com with SUBMISSION;
Fri, 11 Jul 2003 21:01:54 -0700 (PDT)
From: Joe User <joe.user@xxxxxxxxxxx>
To: Suzie Q <suzie@xxxxxxxxxxxxxxxxxxxx>
Subject: I need your help?
Date: Fri, 11 Jul 2003 21:00:37 -0700 (PDT)
In the example, the i= is a sub-domain of d=, but the From is
of a different domain (and what is displayed by MUAs).
Actually there is no "i" in above example. But your point of that
signature verified needs to know what identity is beint authorized
is correct. In META-Signatures I addressed this with explicit
declaration of identity, i.e. "id=from s=ispoofyou.org;" section would
not cause valid signature result if it is "From: joe.user@xxxxxxxxxxx"