On 26 Nov 2022, at 15:20, Barry Leiba wrote:
> We have to decide whether it's worth breaking that use case in order > to address the replay situation. My opinion is that it's not -- > because, as I say, I rely on that use case extensively. My system > would have to change *significantly* in order to work around that. On 25 Nov 2022, at 2:26, Laura Atkins wrote: > And, I think most importantly: will this recommendation by the IETF have any > impact whatsoever on the groups currently using DKIM replay as a way to get > past (some) filters? I don’t see how it will, most of them are using their > own email addresses / servers to collect the replayed messages and then > sending the messages out through their own systems. Even if Google and > Microsoft and Yahoo and the other top 20 mailbox providers start stripping > DKIM headers, the attackers will be able to find some service somewhere that > doesn’t. Worst comes to worst, they stand up a MX on an EC2 instance and run > their own code to collect the mail. We should use the criteria that the FDA establishes for remedies: “Is it safe and effective?” Not Safe: It’s not safe because it breaks Barry’s use case above, and others have pointed out MUA usage of the signature. Not Effective: Attackers can easily circumvent this by running their own MX (if they don’t do that already) as Laura and others have pointed out. We should move onto better ideas. -Jim _______________________________________________ Ietf-dkim mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-dkim
