On 4/11/2025 12:56 PM, Richard Clayton wrote:
> So, really, this is a failure of internal regulation and
accountability that is
> being externalized here.
Although that is strictly true, the recipients of the replayed email do
not see it that way.
That almost sounds like a reasonable point, except that a) it is a form
of victim blaming, and b) it really only serves to distract from the
point that was being made.
I suppose it also might be taken to imply that that I was implying
nothing should be done. But, then, I never implied anything like that.
When working on a problem, it is pretty much always important to
understand its nature. In this case, on possible benefit is to consider
modifications that might try to limit their scope of use, rather than
requiring a massive change to the entire global email infrastructure.
Those recipients tend to blame the mailbox provider who has deemed the
email to be authentic enough to place in their inbox.
Recipients are unhappy. So let us say that a mechanism not designed to
handle the scenario that is making them unhappy is 'broken'. And let us
make massive changes to the email infrastructure. And...?
It might be worth considering offering a response that is a tad more
on-point?
The mailbox provider's explanation that this is entirely legitimate
email, that comes from where it says it does, has a DKIM1 signature that
attests to it not being altered in any way cuts little ice.
Looks like you are viewing my comments as meaning nothing should be done
about DKIM Replay. But I never said nor implied that.
It is, however, curious that there is no interest in considering that
the relatively few platforms generating this problem, through a lack of
accountability, might maybe oughta be considered for making some changes
to -- and I am sure this will be a surprising suggestion -- their
controls on their users?
> Theoretically, it might involve a compromised account, within that
services, of
> course. However that has not been part of the narrative reporting this
> problem.
Indeed ... but having said all that, the erosion of reputation of the
signer is not, out in the real world, anything like fast enough for them
to act (and it may be a one-off event so far as they are concerned).
Out in the real world, the problem is caused by lack of adequate
controls over users, on some platforms.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
bluesky: @dcrocker.bsky.social
mast: @[email protected]
_______________________________________________
Ietf-dkim mailing list -- [email protected]
To unsubscribe send an email to [email protected]
