On February 16, 2023 8:03:01 PM UTC, Evan Burke <evan.bu...@mailchimp.com>
wrote:
>On Thu, Feb 16, 2023 at 10:45 AM Scott Kitterman <ietf-d...@kitterman.com>
>wrote:
>
>>
>> On February 16, 2023 6:10:39 PM UTC, Evan Burke <evan.burke=
>> 40mailchimp....@dmarc.ietf.org> wrote:
>> >The biggest current problem with replay is that it happens in bulk, at
>> >substantial scale. x= is effective against that because it takes time to
>> >send millions of messages. Is it perfect? No. But it's not difficult to
>> >choose between 10,000 replays using my domain vs. millions.
>>
>> Okay. What's the value for X - T that prevents this problem, but doesn't
>> cause DKIM signatures of "normal" mail to fail?
>>
>>
>There's not one "right" value; we're talking about distributions of timings
>for normal mail vs. replay, and yes, there's some overlap there. In
>practice I've seen many signers choose expirations in the range of 1hr to a
>few days. 1hr can be very good at limiting the opportunity for high volume
>replay, but I estimate "normal" signature breakage at that level is on the
>order of 0.1%. 24hr is probably effectively zero breakage, but with greater
>opportunity for replay.
>
>I understand the pushback; this is a list to talk about a standard, and
>standards tend to be a lot more binary in their functionality, so to speak.
>Maybe you're not receptive to a more practical solution - that's fine, I
>respect that - but I think there may be others here who are more open to
>that kind of approach.
I'm not necessarily opposed to going down this kind of path, but it should be
with eyes open on the side effects. I'm all about practical, but in my book
that includes not creating an attractive nuisance that causes more problems
than it solves (not saying that X= is that, I don't have much of an opinion
yet).
Scott K
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim
