On Fri 04/Sep/2020 04:05:24 +0200 Douglas E. Foster wrote:
Of the three types of content changes that I proposed, the easiest to specify
and get implemented is the first type, where the mediator only adds content,
adds a change log indicating the additions, and signs the result. I am hoping
and assuming that if mailing lists have freedom to add their branding to the
subject and body, most lists would not need to make more complex changes.
The change log must not be a generic patch, but rather a stylized list of
pre-canned modifications, much like envisaged in the dkim-transform draft.
This limitation can reduce the attack surface, although it cannot prevent
malicious URLs in the footer.
The signed change log would allow participating recipients to identify the
signed additions added by the list or other mediator, while also identifying
the signed original after the list additions are virtually removed.
I don't think the change log has to be signed. If undoing the changes leads to
a verifiable signature, then add a dkim=pass for the original signer. Else
dkim=fail. Signing the change log doesn't hurt, but it doesn't help either.
If verification succeeds, Authentication-Results: can report enough
transformation details to allow the MDA to restore the original From:, in case
the MLM rewrote it.
Once the additions and the original are reliably identified to a source
domain, suspicion of spoofing is no longer a concern. Each chunk of content
can be evaluated based on the reputation of the verified source domain and
the specifics of the content. >
Nested additions are possible. Each new signature adds an entry to a
verification stack. Any change can be removed, virtually or actually, by
reversing the change at each level, working backwards from last to first.
I beg to disagree. On the one hand, we already have ARC to unwind a chain of
message handlers. The "defect" of ARC is that it needs a full domain
reputation system in order to work reliably. Where the reputation of
"intermediate" mediators is needed, ARC is the right tool.
On the other hand, a deterministic tool should only be interested in who is the
actual author of a message and what has the domain owner to say about
attributing such authorship. This can be done without assessing reputation.
IMHO, the original author domain deserves an aggregate report mentioning the
result of evaluating DKIM transformations, even if From: was rewritten. So
does the last From: rewriter. Intermediate mediators don't.
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
