On 20 Nov 2022, at 11:08, Dave Crocker wrote: > On 11/11/2022 7:19 AM, Murray S. Kucherawy wrote: >> I think you've hit on possibly the most interesting part of this: In RFC >> 6376, we said "You're taking some responsibility for this message... and oh, >> by the way, it could get replayed, and your claimed responsibility extends >> to that case as well". I don't know that we underscored the latter very >> much then or since. > > > At the time DKIM was first developed, we knew that replay was possible. It > was deemed a lesser concern. Back then. > > But the "by the way" that you've added was /not/ part of the thinking then > and it occurs to me that a) no it was not and is not intended, and b) this > might argue for *having MDAs remove DKIM signatures...*
a) It’s difficult to say what was and what wasn’t part of the thinking back then. My recollection differs, but what we didn’t have then is the current experience on how DKIM-based reputation systems are used. b) This assumes that the attackers (replayers) only have access to the messages at delivery, and don’t operate their own MTAs. This is of course not a good assumption. -Jim _______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim
