RE: Spoofing revisited

["James Scott" <james.scott@xxxxxxxxxxxx>]

Earl Hood wrote:
> 
> On July 27, 2005 at 17:59, "Arvel Hathcock" wrote:
> 
> > In the case of the example you gave joe.user@x does not match 
> > d=ispoofyou.com from the signature.  Therefore an SSP is required 
> > using the domain 'x' taken from joe.user@x (the "Originator Address").  
> > In fact, this policy lookup is required any time the signing entity 
> > does not match the domain of the From.  The policy at domain 'x' will 
> > specify that it does not allow "third-party signatures" and that's 
> > the end of the problem right?
> 
...
> 
> In the example, the i= is a sub-domain of d=, but the From is 
> of a different domain (and what is displayed by MUAs).
> 

In this situation, section 4 of the draft states that

| Sender Signing Policy Checks MUST be based on the Originator Address.
| If the message contains a valid signature on behalf of the Originator
| Address no Sender Signing Policy Check need be performed: the verifier
| SHOULD NOT look up the Sender Signing Policy and the message SHOULD
| be considered non-Suspicious.
|
| Verifiers checking messages that do not have at least one valid
| signature MUST perform a Sender Signing Policy Check by doing a DNS
| query to the domain specified by the Originator Address.

If the policy specified by the domain of the "From:" address states 
that third party signatures were not to be accepted, then the signature 
would not verify.

--
James