On 12/12/22 8:49 PM, Murray S. Kucherawy wrote:
On Mon, Dec 12, 2022 at 5:03 PM Michael Thomas <m...@mtcc.com> wrote:
Note that in both cases it requires the good will of the receiver (or
client in the web case). We already have the equivalent of expired
certs
with the x= option. If senders are concerned about this, there is
already solution in the current specs.
At a recent meeting where I heard some mass senders talk about this
problem, the use of "x=" as a mitigation technique was raised. I was
curious to know what their experience was in terms of (a) success
overall, but also (b) how broadly they found "x=" to have been
properly implemented by receivers. I have to admit that was some
months ago and now I forget the answer; maybe someone else who was
there can fill in that blank.
But I'm not sure that "x=" by itself is enough, given that it takes
only a matter of seconds for the attack to succeed, and it seems
unlikely to me that the "t=" and "x=" values would ever be that close
together.
I too remain skeptical that would help with the problem as well, just
trying to point out that there exists protocol mechanisms already
available to have the same effect as stripping signatures. They all rely
on the good will of the initial receiver, which of course is far from
guaranteed.
If there is any solution here, it needs to be on the sender's end.
Mike
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim