On 7/6/2020 10:41 AM, John R Levine wrote:
On Mon, 6 Jul 2020, Dave Crocker wrote:
Perhaps, like some others, I'm not understanding this correctly, but
I think the proposal has nothing at all to do with what the recipient
sees. Rather, I've understood this as an attempt to reverse
additions made by a Mediator, with the goal of validating the
origination DKIM signature. Presumably that is so as to use the
origination domain's reputation and even permit DMARC to validate.
But why would I want to do that?
I wasn't advocating or criticizing. Just trying to synchronize that
nature and purpose of the task.
ARC lets a credible mediator say this message was OK before I munged it.
That's a very different trust model from allowing a means to directly
vet the original signature.
This proposal lets a sleazy mediator say the same thing, with advice
on how to verify mechanically.
Actually, it doesn't.
The sleazy mediator cannot somehow forge an originator's signature so it
validates.
A sleazy mediator takes a message from Paypal and wraps a big blob of
HTML spam around it that will display on top of the original message.
I get the spammy message, look at the signatures and find yup, there's
a real Paypal message inside the spam. What should I do with it?
It's unlikely the Paypal message was intended for me.
A worthy scenario to worry about, but completely different from the
nature of what ARC does and its likely benefits and weaknesses.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
