On Wed 11/May/2016 19:09:45 +0200 Kurt Andersen (b) wrote: > Removing arc-discuss per suggestion from Barry. > > On Wed, May 11, 2016 at 9:54 AM, Alessandro Vesely <ves...@tana.it> wrote: >> On Wed 11/May/2016 17:29:18 +0200 Kurt Andersen (b) wrote: >>> On Wed, May 11, 2016 at 7:00 AM, Murray S. Kucherawy wrote: >> >> [... assume ARC-Seal: i=0 still verifies ...] >> >>> Doesn't the i=1 ARC set also prove the originator was involved? >> >> No, it doesn't. >> >>> Yes, AS[1] testifies to the Authenticated-Results of receiving the >>> message from the originator. >> >> That only proves the first receiver was involved. A final receiver may >> trust its results or not. > > What would an AS[0] assertion provide that would not be already asserted by > the originator's DKIM-Signature?
Nothing, except that the originator's DKIM-Signature is broken after MLM processing. In that respect, ARC-Seal is similar to weak signatures. > If AS[1] is untrustworthy (using the term advisedly), but AS[0] still > verifies, then presumably the original DKIM-Signature would also still > verify and ARC-based information is not needed to have a pass for the DMARC > evaluation. If the body was altered the original DKIM-Signature is broken. If AS(0) is good --which is possible since it didn't sign the body-- and rfc5322.from matches the AS(0) signer, can we then bypass DMARC validation? To address Brandon's concern, high value targets should never produce an AS(0) in the first place. Spammers can grab a recent ARC-0 set from any message emitted by a general purpose domain deploying this technique, let's call it hmail. Then they craft a message with: * the grabbed ARC-0, * From: user@hmail.example, and * ARC set signed by themselves, including faked ARC-Authentication-Results. W.r.t. what happened before hmail published p=reject, spammers face the additional difficulty of getting a fresh ARC-0 every day, but hmail know which messages such ARC-0 was being grabbed from. Admittedly not much, but maybe can be improved. Ale _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc