On Tue, Jan 3, 2023 at 1:38 PM Todd Herr <todd.herr= [email protected]> wrote:
> On Tue, Jan 3, 2023 at 4:04 PM Michael Thomas <[email protected]> wrote: > >> Yet another reason why I'm skeptical. If there were a viable protocol >> solution to this, why hasn't M3AAWG found it? Why re-spin up a working >> group with a what appears to be a greenfield solution space if an active >> industry working group hasn't chimed in? If there were some viable protocol >> solution, I would expect they would at least put it forward. Working groups >> are infinitely more productive if there is some collective agreement about >> the general parameters of a solution, even if the particulars need to be >> vetted. The couple of solutions I've seen thus far are either trivially >> breakable (= striping signatures at MDA's), or frightening to contemplate >> what they'd break (= tying envelope to message). That doesn't give me the >> warm fuzzies about any protocol level solution. >> >> Also: if they are indeed working on a BCP, it would be far better to use >> that as input rather than reinventing wheels. >> > While I wouldn't presume to speak for M3AAWG, and although some M3AAWG > work products have been used as inputs to the IETF process (such as RFC > 6449, to cite but one example), and although there are many people that are > active both in M3AAWG and the IETF, it's my sense that M3AAWG doesn't see > itself as a body that proposes changes to existing protocols. Rather, I've > always seen M3AAWG as an organization that primarily figures out the best > way to make use of existing protocols and publishes documents describing > those best uses in the fight against messaging and other abuse. > > I'm not at liberty to speak about the content of current M3AAWG work on > the topic of DKIM replay attacks or what direction that work has taken, but > everything I've seen so far has been recommendations to do things already > permitted by the protocols in existence, recommendations that have almost > certainly been implemented by a number of M3AAWG member companies. Those > recommendations are not bulletproof, however, and so people have come here > to see if there might be a forum for defining updates to the DKIM protocol > that might make it more resistant to replay attacks. > +1 So yes this was discussed and started at a M3AAWG BoF (at M3AAWG 56 in Oct 2022) that discussed DKIM replay. As by that point there were several drafts with proposed solutions, the suggestion from feedback at the BoF was to send this work to IETF Dispatch. This work was presented at IETF 115 (Nov 2022) and the Dispatch slides <https://datatracker.ietf.org/meeting/115/materials/slides-115-dispatch-dkim-replay-problem-and-possible-solutions-01> are largely derived from the BoF slides i.e. summarized to fit in Dispatch time limit. The set of drafts mentioned at the BoF and Dispatch, are cited in the proposed DKIM WG charter <https://datatracker.ietf.org/doc/charter-ietf-dkim/04-03/>. -Wei
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Ietf-dkim mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-dkim
