Hi all,
bear with me for a quick recap, please (or skip to the next paragraph.) SPF
arose around 2000 and became popular within a few years. However, SPF breaks
forwarding. So, as an authentication alternative, DomainKeys came along, which
became DKIM in 2007. However, DKIM lacks a policy. It merely permits a domain
"to claim some responsibility for a message". Policy discussions began in 2007
with DKIM Sender Signing Practices (SSP), which became ADSP in 2008, was
published in 2009 and became historic in 2013. DMARC started in 2012,
non-standard publication is in 2015, standard publication is expected later
this year, after 11+ years of IETF discussion. However, DMARC breaks mailing
lists. To address "the issues with indirect mail flows", the DMARC WG came up
with the ARC protocol, 2019, a flop. A new protocol, codenamed DKIM2, is
taking shape at the IETF now. It is intended to solve not only the mailing
list problem, but also DKIM replay and the backscatter generated by
provisionally accepted messages that are then bounced. However, DKIM2 is
unlikely to become widespread quickly, in part because of the changes it
requires at the SMTP level.
The reason why ARC has not bee successful is that it isn't clear how to
distinguish a legitimate forwarder from a malicious one, both of which
ARC-seal. In fact, an attacker can produce an ARC set that is the last one
after a chain composed of any domains she wants. IMHO, the only solution is to
ask the recipient, for each forwarded flow, including mailing lists, whether it
is wanted. I drafted a protocol for this, but I didn't have a chance to
discuss it in the DMARC WG because, after years, it closed in a hurry. Other
WGs or the ISE are not inclined to consider proposals that no one has
implemented yet. So I'm looking for aspiring pioneers for this protocol (or at
least figure out what would be wrong with it.)
https://datatracker.ietf.org/doc/html/draft-vesely-fix-forwarding
Fancy?
Best
Ale
--
-----
To unsubscribe from this mailing list or change your subscription options,
please visit: https://mailman.ripe.net/mailman3/lists/security-wg.ripe.net/
As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings.
More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
