On Mon 12/Jun/2023 13:05:51 +0200 Alexander Leidinger via Gnupg-users wrote:
Quoting Alessandro Vesely via Gnupg-users <gnupg-users@gnupg.org> (from Mon, 12
Jun 2023 10:57:32 +0200):
Hi,
would someone please explain DKIM settings of lists.gnupg.org?
I'm not involved in gnupg.org administration, but it looks like there are none.
Sometimes there is a signature. The Announce message of April 28 had two:
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnupg.org;
s=20181017;
h=Sender:Content-Type:List-Subscribe:List-Help:List-Archive:
List-Unsubscribe:List-Id:Subject:MIME-Version:Message-ID:Date:Cc:To:From:
Reply-To:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date
:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
References:List-Post:List-Owner;
bh=AaifcSnTnefRUURuPlCYtVlF0on0neCAn9vyAWrccMA=; b=GZor1crbzgMYZ0XztsHrHN0w3P
d4QT2yOyZRUI1iA/Ys5St2fi/3ZIKghj/man3fY3c8bmN1N0fwEGCadSTzKO5YpM29kATZ8tDDLcf
hX/49Mlk+X0sw5ecu3Z/Bm+2RJlpk8TPHWNM1wUy7yIlI4txDDSCsIlAawikJ4I4HTJY=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnupg.org;
s=20181017;
h=Content-Type:MIME-Version:Message-ID:Date:Subject:Cc:To:From:
Sender:Reply-To:Content-Transfer-Encoding:Content-ID:Content-Description:
Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
List-Post:List-Owner:List-Archive;
bh=waITwZnkLncVwES3fe/pbC3rS8gp+dpge17NQpRHvMU=; b=U9warAJAiKlE0f9mSRe61yIzqa
TNpdihkg9KDQBb8px1ESE5/6/qPzsg2KOMt82hpGMJukxzKAoDMwOGvpN/TGO9ADjrjWz9Dk5Ry+p
QIwg+x3PKxYoOGVU9cmpVmeGsu6yOemyfN3mz0fGdqEC7SBGWjbe4LusOc/Kb65Opd0k=;
There were a number of Received: by/from kerckhoffs.g10code.com in between, as
if the message was sent back and forth to a signer. Most likely some header
fields are changed during the transaction.
Looking at recent posts, I counted 44 with a failed signature by d=gnupg.org,
22 with no DKIM signature at all and none with a good signature.
Can it be that those 44 are from real people which have a from-address
@gnupg.org?
I only counted d=gnupg.org.
I'm asking because there was a proposal to eliminate SPF from DMARC
authentication methods[*]. Opposers to such move note that in a number of
cases SPF succeeds where DKIM fails. The discussion concluded that it must
be because of misconfiguration, since most in-transit alterations were
eliminated. As people on this list is certainly acknowledgeable, I though
I'd dare asking where does such misconfiguration stem from.
Your mail to the list had a DKIM signature from tana.it (your DKIM signature).
It specifies that in the header the date, to, from and subject lines are
subject to validation.
Those lines are enough to uniquely identify a message. Signing more fields
only makes the signature more fragile. It is not enough to prevent crackerjack
re-playing in any case.
The From was re-written be the list and as such the
header check fails. The body check fails as the list adds the following:
---snip---
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
---snip---
The message verifies after removing the footer. It can be done routinely, on
some kind of signatures.
What the list-software would need to do is to strip the original DKIM signature
Why? Original signatures can often be recovered. They shouldn't be removed
anyway.
(and maybe sign itself, but there are drawbacks),
What drawback can there be to signing? CPU resource consumption?
or to not modify the message
(at least not the designated header lines, and the body). More info here:
https://begriffs.com/posts/2018-09-18-dmarc-mailing-list.html
Omitting subject tag and footer seems to me to be worse than From: munging.
See also this:
https://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail
For mailman there is some info here what could/should be done:
https://wiki.list.org/DEV/DKIM
https://wiki.list.org/DEV/DMARC
For listserv there is some info here what could/should be done:
https://www.lsoft.com/manuals/17.0/advancedtopics/Section12UsingDomainKeysIdentifi.html
https://www.lsoft.com/manuals/17.0/advancedtopics/Section13DMARCandLISTSERV.html
There is also ARC (which you should see in the headers of my mail):
https://en.wikipedia.org/wiki/Authenticated_Received_Chain
I'd definitely recommend ARC, not the conceptual Mailman 3 version. However,
most receivers are not yet prepared to accept it.
Best
Ale
--
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
