On Wed, Aug 26, 2020 at 5:00 PM Jim Fenton <fen...@bluepopcorn.net> wrote:
> On 8/26/20 10:54 AM, Dotzero wrote: > > > > On Wed, Aug 26, 2020 at 1:32 PM Doug Foster <fosterd= > 40bayviewphysicians....@dmarc.ietf.org> wrote: > >> Are the weak signatures vulnerable to a replay attack? I thought that >> one of the reasons that DKIM signatures included the whole body was to >> prevent the signature from being reused. >> >> >> >> DF >> > > Not particularly vulnerable. The requirement is that you have the "weak > signature" plus the intermediary full DKIM signature. This let's the > validator/receiver know that the originating domain knew that the > intermediary might break the originating domains DKIM signature but the > validator/receiver would have the DKIM signature of the intermediary. The > "weak signature" is only validated against that specific message and > headers it signed and that specific intermediary. It's not a > generic/general signature. > > > It sounds like the weak signature is just a regular DKIM signature plus > the designation of the intermediary, and the "weak" part is that you don't > check the body hash against the body. Have I got that right? > > -Jim > Not exactly. The intermediary can check the full DKIM signature. The ultimate validator/receiver can check the full DKIM signature of the intermediary plus the "small" signature (I'm not comfortable with the phrase "weak signature") of the originator. If the original DKIM signature gets broken by the known intermediary then you have a mechanism to identify that the originator recognized the intermediary. This is not my preferred approach but I'm trying to find something that works to accommodate the various needs/wants expressed on the list. In my perfect world the intermediary would change it's behavior but that isn't going to happen. This is more straight forward than many of the other suggestions I've seen. Hat tip to John for his original idea for this approach. I'd be interested in seeing if any of the larger players (receivers) would be willing to utilize this sort of approach. Also, if anyone (organization) would be willing to provide a list of known intermediaries on some basis (whether free or pay). If these two things are in place then it is certainly worth exploring this approach in more detail. Michael Hammer
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc