On Sun, Nov 27, 2022 at 6:50 PM Dave Crocker <d...@dcrocker.net> wrote:
> On 11/27/2022 6:30 PM, Murray S. Kucherawy wrote: > > Domain Keys Identified Mail (DKIM, RFC 6376) defines a mechanism for > > using a digital signature to associate a domain identity with an email > > message in a secure way, and to assure receiving domains that the > > message has > > not been altered since the signature was created. Receiving systems > > Again: DKIM does not assure that the message has not been altered. It > assures only the covered portions of the message. > > That's not a small difference in data integrity protection. > OK, I'll add that in. > > A DKIM-signed message can be re-posted, to a different set of > > recipients, without > > disturbing the signature's validity. This can be used to confound the > > engines that > > identify abusive content. RFC 6376 identified a risk of these > > "replay" attacks, but > > at the time did not consider this to be a problem in need of a > > solution. Recently, > > the community has decided that it has become enough of a problem to > > warrant being revisited. > > This does not provide any real understanding of how replay is > accomplished. And since it's easy to explain and doesn't take much > text, I'll again encourage including that in the document that defines > the nature of the problem we will be working on, namely the charter. > Doesn't the "A DKIM-signed message can be re-posted, ..." sentence do that? I pulled it from your suggested text for that very reason. Maybe add something to the second sentence making clear the roles in the attack? > > The DKIM working group will produce one or more technical > > specifications that > > describe the abuse and propose replay-resistant mechanisms that are > > compatible > > with DKIM's broad deployment. The working group may produce documents > > describing > > relevant experimental trials first. > > This draft doesn't include the 'preservation of installed base' cover > text that Barry's had and I forgot to include in mine. I think it's > important. > I had intended "compatible with DKIM's broad deployment" to cover exactly this. Should I word it differently? -MSK
_______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim