On 04/13/2015 08:21 PM, Murray S. Kucherawy wrote:
On Mon, Apr 13, 2015 at 12:58 AM, Stephen J. Turnbull
<turnb...@sk.tsukuba.ac.jp <mailto:turnb...@sk.tsukuba.ac.jp>> wrote:
Douglas Otis writes:
> If the DMARC domain fails to step up, then a reasonable fallback
> could require the display of the Sender header offering the needed
> alignment.
I don't understand this. We already see that most professional
spammers exhibit From alignment on much of their traffic. Sender
alignment is just as easy to implement, even if we could expect MUAs
to conform to the "required display of Sender field". Users do not
understand the Sender field as far as I can tell.
To the extent comprehensible, TPA is meant to allow author A to tell
receiver B that mail that has C in (for example) the List-ID field
should be treated as though it came from A. However, I concur that it
means an impostor can simply do what the TPA record says and thereby
succeed; few of the properties TPA identifies are authenticated in any
way. It might be helpful to get alignment working through paths that
invalidate SPF or DKIM, but compared to the fact that it basically
advertises how to get a "pass" in an invisible way, it's more scary to
me than not. Now, if that isn't the case, then I suggest the document
falls short of explaining how this is not an attack vector.
Also, Doug insists that this is not registration, but I don't know how
he can claim this since it requires a DNS entry for every {A, C} pair
that exists which must then be queried by every B that might receive
mail from C. Unless I'm not understanding use of the term, that's
exactly how I believe we've been using "registration" lately, and the
argument on the table is that any registration scheme is basically a
non-starter for operators for which the cardinality of AxC is or could
be large.
But, if this 'registration' does not apply to the 'mandatory tag draft',
that means that every sender will always add the weak signature +
'fs=<initial domain>' and a replay attack is reduced to breaking the
weak signature?
/rolf
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
