On Wed 16/Aug/2023 11:17:50 +0200 Laura Atkins wrote:
On 16 Aug 2023, at 09:57, Alessandro Vesely <[email protected]> wrote:
How about enacting common sense rules such as Never sign anything without reading
the small print? In the same way that users agree to any Terms & Conditions
without reading, domains sign any mail their users send without knowing. Decadent
practices, aren't they?
Can you expand on this? I’m not sure I understand how reading the content will
fix the problem. Spam is an issue of volume mostly.
Avoiding to /sign without knowing/ could perhaps partially solve the problem.
Reading the content was just for comparison with signing agreements.
Does Google know the real ID of its users? I'd guess in many cases they do;
for example, Google does payments and bank stuff which do require real IDs (I
pay, therefore I am). Nevertheless, they sign all email messages with the same
d=gmail.com, irrespective of user reputation.
I fully understand the right to anonymity. I know it's in the First Amendment,
in the US. However, I figure users should trust their mailbox providers enough
to disclose their real ID. The minority of people who really need to care
about that can always find a provider in countries where ISPs cannot be forced
to disclosure, or suffer sending lower grade mail.
Would that be an acceptable kind of solution?
I’m not sure I understand how this is a solution. As Evan and Emanuel have both
said the bad actors have access to many thousands of accounts that look like
real accounts. In my own experience, they have access to validating credit
cards which is one of the most common ways to validate a real identity online.
There is an ongoing effort to safeguard digital identities (and plaguing people
with 2FAs). Checking IDs must be possible, and should be done in a number of
cases. Perhaps free mailbox providers could contribute...?
Before digressing about methods, the question is whether limiting signing to
known (good) users could mitigate the replay problem. Suppose an ESP or MP
only signs mail authored by people who subscribed more than one month ago, and
whose ID was verified less than six months ago. Would that diminish replay
attacks by any amount?
BTW, how many replay attacks does an average ESP or MP notice in one month?
Is it legal to mount replay attacks?
Was any user responsible for replay attacks ever identified and prosecuted?
Best
Ale
--
_______________________________________________
Ietf-dkim mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf-dkim
