On 12/11/22 8:34 AM, Dave Crocker wrote:
I think a simple -- and hopefully not too simplistic -- question to consider in the context of replay and other misuses of DKIM, is when is it reasonable to make a fresh validation effort invalid? When should a random, remote agent no longer be able to 'validate' the signature?

I'd like to draw an analogy to S/MIME signatures on messages. Specifically, does the signature of a signed message that validates today supposed to fail tomorrow just because of the relatively short intervening time when the signing S/MIME certificate expired?

Also, consider the scenario where a signature validates yesterday, but will be rejected next week after I revoke the signing certificate today. There is value in re-checking signatures /after/ delivery, specifically to subsequently check for revocation /after/ delivery.

I don't know if the concept of my analogy is directly applicable to DKIM signatures, but I think it's in the ball park.



--
Grant. . . .
unix || die

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim

Reply via email to