On April 14, 2015 6:58:11 AM EDT, "Stephen J. Turnbull" <[email protected]> wrote: >Scott Kitterman writes: > > > Far more concerning to me is that once someone has received a > > message with a valid 'weak' signature, the only protection against > > replay is Message ID tracking. > >I don't understand the attack you have in mind. First, do you mean >the Mediator identified in the fs= tag can replay? Or a third party? >What is the damage that could be inflicted by this replay? To whom?
The 'mediator'. Once I am in receipt of a message from you with a signature that is fs=me, then I can send mail on your behalf with any parts of the message not covered by the weak signature having arbitrary changes (including complete replacement). Keeping in mind that one of the advantages of this approach is not needing to keep a real time list of mediator addresses users in your domain might send to, to make this work at scale, I think the fs= signature has to be put on all messages. The reason I put mediator in quotes above is because it's anyone you send mail to. The damage is that all it takes is one message from your domain sent to a 'bad' domain and then that domain can generate arbitrary messages that will pass the test. The to whom is to the sender's brand and the receiver if it makes it through to the inbox. The one way to catch this that we've come up with so far is Message ID tracking, since that is signed in the fs= signature (so it can't be replaced). That's not ideal though. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
