On Wed 01/Dec/2021 20:10:30 +0100 John Levine wrote:
It appears that Alessandro Vesely <ves...@tana.it> said:
I'm not clear about the last but one paragraph of that section:
An example of such an attack includes altering the MIME structure,
exploiting lax HTML parsing in the MUA, and defeating duplicate
message detection algorithms.
I'm going to file an errata about it. Altering the MIME structure is only
possible if the value of l= is less than the original message length.
I wish you hadn't. I think the original concern was for sloppy MIME that
forgot the -- after the last part.
I hope such errors are not so common as to deserve some kind of standardization.
Anyway, I wouldn't want to authenticate a message that underwent an HTML footer
addition, because it can completely replace the original content in the end
recipient's eyes. My draft requires footers to be plain text.
Yet that's exactly what one of the largest discussion group services in the
world did.
As I keep pointing out, this is like an UNCOL, it does not generalize enough to
be useful.
On the other hand, ARC handles this just fine.
I, for one, am unable to use ARC as a receiver and authenticate messages that
may well be spear phishing. So even though ARC can handle everything, it is
not usable by everyone.
In order to trust the authorship of a message from Yahoo groups you have to
trust Yahoo, either expressing your trust in an ARC filter configuration file
or directly whitelisting Yahoo groups in a DMARC filter. However, not all
mailing lists need such special settings to authenticate their posters. There
are mailing lists which make no changes, and ones which make revertible changes.
Your objection sounds like you find that a lisp compiler is useless because it
doesn't compile fortran, which is one of the most ubiquitous languages in the
world.
Two methods is better than one.
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
