On Tuesday, April 14, 2015 10:44:39 PM Stephen J. Turnbull wrote: > Scott Kitterman writes: > > Keeping in mind that one of the advantages of this approach is not > > needing to keep a real time list of mediator addresses users in > > your domain might send to, to make this work at scale, I think the > > fs= signature has to be put on all messages. > > I don't think so. I think that a conservative approach of keeping the > list in the user profile and doing weak signatures in the MUA will > work for a large proportion of users (Yahoo!, AOL, GMail, Hotmail, > up-to-date SquirrelMail etc installations), plus the hard core of > Emacs users (Gnus will have a zero-day implementation, no doubt) and > mutt users (I know, it's not like Emacs and mutt are a significant > proportion anymore, it's the principle of the thing). Anybody who's > thinking about putting fs= on all users on all outgoing mail will > probably think twice and just not do it. Or I kinda hope so. > > > The damage is that all it takes is one message from your domain > > sent to a 'bad' domain and then that domain can generate arbitrary > > messages that will pass the test. > > OK, I hadn't envisioned the "let's see just how badly we can implement > this protocol" scenario, but yes, it's a real issue. Note that > Murray's other proposal (MIME-part-by-part signatures) supports a > heuristic to get around this (if you can't find any original parts, > it's spam). I guess you can come pretty close to arbitrary, though.
I wasn't attempting to do it purposefully badly. I'm not aware of any significant DKIM signing done at the MUA level. I think (at least for real DKIM signatures) you have to have the MTA do it to mitigate risk of signature breakage to to MTA level transformations. If the signature has to be done at the MUA, then we're back to this only works once MUA upgrades are done. I thought we'd agreed forcing MUA modifications was not a post for success. If I misunderstood the proposal and it requires someone to be keeping a list of mailing lists used (either globally or by individual users), then I think this is not a good idea at all. I don't think any tracking/whitelisting design is going to succeed at scale. My view is that either we find a reasonable way to make this idea work without a list of mailing lists or we toss it on the pile of things that won't work. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
