On Thu 16/Feb/2023 21:56:52 +0100 Barry Leiba wrote:
Okay. What's the value for X - T that prevents this problem, but doesn't cause DKIM
signatures of "normal" mail to fail?
There's not one "right" value; we're talking about distributions
of timings for normal mail vs. replay, and yes, there's some
overlap there. In practice I've seen many signers choose
expirations in the range of 1hr to a few days. 1hr can be very
good at limiting the opportunity for high volume replay, but I
estimate "normal" signature breakage at that level is on the
order of 0.1%. 24hr is probably effectively zero breakage, but
with greater opportunity for replay.
I think you're way off on these numbers, especially for the 1-hour
case. While normal circumstances get mail delivery in less than an
hour, I have seen *many* cases of legitimate mail delayed by hours --
sometimes quite a few hours. I would consider anything less than two
days to be unacceptable, and with that sort of gap you don't do much
to prevent a spam blast.
Wouldn't it be possible to organize a gap-discovery scenario where the sender
stores a per-user table of delivery times. One could get timings from positive
DSN when available. Or one could create a new selector for each discovery, and
measure the time between sending and the last DKIM key lookup.
For domains who re-sign before forwarding (perhaps using ARC), and are trusted
by their forwardee, it can be enough to store a per-domain entry, which is much
more practical.
It could be worth to add min/ max/ avg time entries to the <row> layout of
aggregate DMARC reports. (But this is the wrong mailing list to propose it.)
Best
Ale
--
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim