On Tue, Jul 10, 2018 at 1:24 PM, Jim Fenton <[email protected]> wrote:
> On 7/10/18 12:43 PM, Murray S. Kucherawy wrote: > > > AMS is basically the same as DKIM-Signature, and so it covers body > modifications. When you verify the seal, you must also verify the latest > AMS, which in turn means the seal is invalidated as soon as someone changes > the content. > > > Which goes back to my original question. If you need to check the AMS > anyway, what additional purpose does the AS serve? > It's an interesting question. I imagine it's similar in nature to the fact that the crypto part of a DKIM-Signature will still pass for a message with a modified body; you have to then check that "bh=" matches the current content before you can truly assert that the signature is valid. > I disagree. If I can cause your MTA to crash because of oversized header > fields, that's at least a denial of service attack. If I can cause your > filter to crash because of oversized header fields and your MTA fails open, > I can bypass whatever protections the filter offers. > > > In that case, I'm fine if this is expressed in terms of a security threat. > But any ARC-specific nature to this threat is a marginal case; an attacker > could do the same in most cases by just adding lots of garbage header > fields. > True, but I think the nature of the beast here is that this is a non-garbage addition to the email infrastructure that will certainly bloat headers, and participants (and maybe even non-participants) need to be able to deal with it. OK, it's possible that this has been done. But the important question is, > does this draft need to wait for 7602bis to be published? > This draft, as I recall, is trying to register some things into the authentication method registries that the prose of 7601 didn't allow. So, yes. I had thought that we planned to do them as a cluster anyway, and that 7601bis was ready for WGLC ahead of this one, but I've forgotten where we are with it now. -MSK
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
