Re: [Ietf-dkim] Rechartering

Sun, 27 Nov 2022 18:50:39 -0800 

On 11/27/2022 6:30 PM, Murray S. Kucherawy wrote:

Domain Keys Identified Mail (DKIM, RFC 6376) defines a mechanism for
using a digital signature to associate a domain identity with an email
message in a secure way, and to assure receiving domains that the message has 
not been altered since the signature was created.  Receiving systems



Again:  DKIM does not assure that the message has not been altered.  It 
assures only the covered portions of the message.


That's not a small difference in data integrity protection.



can use this information as part of their message-handling decision.
This can help reduce spam, phishing, and other unwanted or malicious
email.


A DKIM-signed message can be re-posted, to a different set of 
recipients, without
disturbing the signature's validity.  This can be used to confound the 
engines that
identify abusive content.  RFC 6376 identified a risk of these 
"replay" attacks, but
at the time did not consider this to be a problem in need of a 
solution.  Recently,
the community has decided that it has become enough of a problem to 
warrant being revisited.



This does not provide any real understanding of how replay is 
accomplished.  And since it's easy to explain and doesn't take much 
text, I'll again encourage including that in the document that defines 
the nature of the problem we will be working on, namely the charter.



Really, it's not asking a lot to identify the role of the collaborating 
recipient and possibly a bit more.  This makes the charter more directly 
useful to circulate widely and be understand in substance, without 
requiring the reader to either already know the topic or to forage for 
other documents.




The DKIM working group will produce one or more technical 
specifications that
describe the abuse and propose replay-resistant mechanisms that are 
compatible
with DKIM's broad deployment.  The working group may produce documents 
describing

relevant experimental trials first.



This draft doesn't include the 'preservation of installed base' cover 
text that Barry's had and I forgot to include in mine.  I think it's 
important.


d/

--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker@mastodon.social

_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim






















					Reply via email to