On Tue, 8 Aug 2017, at 23:36, Kurt Andersen (b) wrote:
> On Mon, Aug 7, 2017 at 9:10 PM, Bron Gondwana
> <br...@fastmailteam.com> wrote:>> __
>> . . . If you aren't willing to agree that the most recent liar can
>> repurpose an existing chain, I'm happy to avoid making the forgery,
>> otherwise I'll make up a forgery and send it to the list.>>
>> But since you either trust every hop to do good checks, or you
>> don't trust the entire message - then the ARC-Seal is literally
>> adding nothing. It adds no meaning, just extra work. Hence my
>> snakeoil claim.>>
> Is your concern that the last hop (or any other) can essentially do a
> wholesale replacement of the message contents and that there is no way
> to distinguish that from a semantically meaningless footer tweak?>
> I'm not sure that I understand your assertion that you can forge an AS
> any more than you could forge a DKIM signature.
The whole point of verifying the chain of AS all the way back to i=1
is that you can tell that the message went through those servers, in
But it's bogus, because AS doesn't sign anything except itself and some
AMS and AAR. Once AMS doesn't validate any more (any change at all)
then you can't really tell that the message passed through there, just
the _a_ message passed through there.
So I could take an existing message that had passed through Google and
create a brand new message and pass it off as if it had passed through
Google before passing through my server on its way to you.
In which case - the AS is meaningless. It claims something which is
only true if everyone plays by the rules. But if everyone plays by the
rules, then it's excessive. You could just check the previous AAR and
know that the previous site had validated the hop before it, and so on.
It's crypto that doesn't add anything of value.
It's not actively damaging (other than the advice to do excessive DNS
lookups), but it's also not doing anything meaningful, and it's adding
something forgeable that looks like it means something.
Bron Gondwana, CEO, FastMail Pty Ltd
dmarc mailing list