Re: [dmarc-ietf] third party authorization, not, was non-mailing list

Sat, 29 Aug 2020 19:24:37 -0700 




On 8/26/2020 5:00 PM, Jim Fenton wrote:

On 8/26/20 10:54 AM, Dotzero wrote:



On Wed, Aug 26, 2020 at 1:32 PM Doug Foster
<fosterd=40bayviewphysicians....@dmarc.ietf.org
<mailto:40bayviewphysicians....@dmarc.ietf.org>> wrote:

    Are the weak signatures vulnerable to a replay attack?    I
    thought that one of the reasons that DKIM signatures included
    the whole body was to prevent the signature from being reused.

    DF


Not particularly vulnerable. The requirement is that you have the
"weak signature" plus the intermediary full DKIM signature. This
let's the validator/receiver know that the originating domain knew
that the intermediary might break the originating domains DKIM
signature but the validator/receiver would have the DKIM signature
of the intermediary. The "weak signature" is only validated against
that specific message and headers it signed and that specific
intermediary. It's not a generic/general signature.



It sounds like the weak signature is just a regular DKIM signature
plus the designation of the intermediary, and the "weak" part is that
you don't check the body hash against the body. Have I got that right?


Yes.

ATPS vs Conditional Signature


The end goal is technically the same. Author Domain authorizing a 3rd 
party signer.



The key difference is DNS. ATPS uses DNS to authorize the signer. 
Conditional signature has the extra tag to define an expected 3rd 
party signature by a 3rd party domain uplink.



For the signing code, there is no change for ATPS. Conditional 
requires significant signer code change.



For the verifying code, the DMARC verifier adds ATPS DNS lookup checks 
if 1st != 3rd party domains differ or it can also add conditional 
signatures checks.


We should ALLOW both to be explored.


For conditional, you don't need a DMARC tag extension.  The existence 
of the extra tag triggers the logic.



For ATPS RFC6541, it was designed to piggyback off ADSP. So ATPS will 
need to be updated to use DMARCbis.  The Domain sets the atps=y 
extension tag to trigger the logic.



--
Hector Santos,
https://secure.santronics.com
https://twitter.com/hectorsantos


_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc





























					Reply via email to