On 1/16/2024 8:18 AM, Mike Hillyer wrote:
In an effort to make it easier for our users to prevent DKIM replay attacks, we're looking at adding an option to our DKIM signing module to automatically oversign headers in the DKIM signature, adding an additional entry in the headers list to assert a null header, preventing a malicious third party from adding an additional header but having the message still validate as DKIM because only one instance of the header was listed in the signature.
While I applaud your goal, it is not immediately obvious to me how this can reduce or eliminate DKIM Replay.
Could you provide an example? Thanks. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net mast:@dcrocker@mastodon.social
_______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim
