On Mon 14/Nov/2022 19:29:10 +0100 Evan Burke wrote:
On Mon, Nov 14, 2022 at 8:03 AM Alessandro Vesely <ves...@tana.it> wrote:
The exception is a standardised mechanism to allow a sender/signer to
indicate the [approximate] number of intended recipients, with which
receivers might make fact-based decisions about when to recognise an
instance of this particular attack
For a mailing list, this is totally out of reach, unless the MLM itself
is the (ARC) signer. Even then, when the MLM knows there are 1000
subscribers, should it extract the average per domain weight? I mean if
500 are @gmail.com and just 1 is @tana.it, should it extract the right
figures for each receiver or send a rough total, which smaller mailbox
providers cannot use? >>
I disagree, this is perfectly fine. Approximate counts - even with an order
of magnitude margin in some cases - would be an effective deterrent against
large-scale replay attacks like what we've seen in the past year, where
there could be 10s of millions of replays of a single message signature.
I don't get it. For sending, I don't know how many subscribers are there in
ietf-dkim. How could I sign an approximate number of recipients in this message?
For receiving, I don't recall receiving millions of identical messages, not
even hundreds. Perhaps I received a few ones of those —any further details on
that attack would be appreciated. How could I have used a numerical
indication, if it had been available at the time?
Best
Ale
--
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim