Re: [Ietf-dkim] DKIM reply mitigations: re-opening the DKIM working group

On 17/11/22 04:59, Alessandro Vesely wrote: > In the context of a replay attack, the important cases are: > > 1. the MLM does not break the original DKIM signature > 2. the MLM applies its own ARC/DKIM signature which is itself used in a reply > attack I fancied an experiment where a

Re: [Ietf-dkim] DKIM reply mitigations: re-opening the DKIM working group

On 17/11/22 04:34, Alessandro Vesely wrote: On Wed 16/Nov/2022 05:35:52 +0100 Roland Turner wrote: > Not quite, because they're not usually applied when a message is forwarded > intact. One outcome of the proposed WG might be to specifically encourage all > MLMs to ARC-sign, even if they

Re: [Ietf-dkim] DKIM reply mitigations: re-opening the DKIM working group

On 17/11/22 03:59, Hector Santos wrote: On Nov 11, 2022, at 11:46 AM, Barry Leiba wrote: Indeed... The issue here is this: 1. I get a (free) account on free-email.com . Ok 2. I send myself email from my account to my account.  Of course, free-email signs it,

Re: [Ietf-dkim] DKIM reply mitigations: re-opening the DKIM working group

On 16/11/22 19:20, Wei Chuang wrote: On Tue, Nov 15, 2022 at 4:10 AM Alessandro Vesely wrote: If you can filter basing on a reliable reputation system, current ARC seals are enough already, aren't they? There's the risk that ARC gets replayed like DKIM, so it too needs

Re: [Ietf-dkim] DKIM reply mitigations: re-opening the DKIM working group

On Wed 16/Nov/2022 05:32:24 +0100 Roland Turner wrote: On 15/11/22 03:01, Alessandro Vesely wrote: The exception is a standardised mechanism to allow a sender/signer to indicate the [approximate] number of intended recipients, with which receivers might make fact-based decisions about when to

Re: [Ietf-dkim] DKIM reply mitigations: re-opening the DKIM working group

On Wed 16/Nov/2022 05:35:52 +0100 Roland Turner wrote: On 15/11/22 23:10, Alessandro Vesely wrote: On Mon 14/Nov/2022 18:54:33 +0100 Wei Chuang wrote: > On Mon, Nov 14, 2022 at 8:03 AM Alessandro Vesely wrote: > >> BTW, we all know that mailing lists send one message at a time, doing >> VERP

Re: [Ietf-dkim] DKIM reply mitigations: re-opening the DKIM working group

> On Nov 11, 2022, at 11:46 AM, Barry Leiba wrote: > > Indeed... > The issue here is this: > > 1. I get a (free) account on free-email.com. Ok > 2. I send myself email from my account to my account. Of course, > free-email signs it, because it's sent from me to me: why would it > not?

Re: [Ietf-dkim] DKIM reply mitigations: re-opening the DKIM working group

> On 15 Nov 2022, at 12:29, Murray S. Kucherawy wrote: > > On Mon, Nov 14, 2022 at 11:04 AM Laura Atkins > wrote: > Does it make sense to add in a brief discussion of ‘responsibility for the > message'? As I see it, responsibility implies able to do something

Re: [Ietf-dkim] DKIM reply mitigations: re-opening the DKIM working group

On Tue, Nov 15, 2022 at 4:10 AM Alessandro Vesely wrote: > On Mon 14/Nov/2022 18:54:33 +0100 Wei Chuang wrote: > > On Mon, Nov 14, 2022 at 8:03 AM Alessandro Vesely > wrote: > > > >> BTW, we all know that mailing lists send one message at a time, doing > >> VERP for each subscriber. They can