[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Spoofing revisited
Earl Hood wrote:
> On July 27, 2005 at 17:59, "Arvel Hathcock" wrote:
> > In the case of the example you gave joe.user@x does not match
> > d=ispoofyou.com from the signature. Therefore an SSP is required
> > using the domain 'x' taken from joe.user@x (the "Originator Address").
> > In fact, this policy lookup is required any time the signing entity
> > does not match the domain of the From. The policy at domain 'x' will
> > specify that it does not allow "third-party signatures" and that's
> > the end of the problem right?
> In the example, the i= is a sub-domain of d=, but the From is
> of a different domain (and what is displayed by MUAs).
In this situation, section 4 of the draft states that
| Sender Signing Policy Checks MUST be based on the Originator Address.
| If the message contains a valid signature on behalf of the Originator
| Address no Sender Signing Policy Check need be performed: the verifier
| SHOULD NOT look up the Sender Signing Policy and the message SHOULD
| be considered non-Suspicious.
| Verifiers checking messages that do not have at least one valid
| signature MUST perform a Sender Signing Policy Check by doing a DNS
| query to the domain specified by the Originator Address.
If the policy specified by the domain of the "From:" address states
that third party signatures were not to be accepted, then the signature
would not verify.