> On Aug 16, 2023, at 11:21, Jim Fenton <[email protected]> wrote:
>
> On 16 Aug 2023, at 10:57, Jon Callas wrote:
>
>>> On Aug 16, 2023, at 10:25, Alessandro Vesely <[email protected]> wrote:
>>>
>>> To repeat my questions, then, would limiting (qualified) DKIM signatures to
>>> verified accounts diminish replay attacks by any amount? Is this kind of
>>> solution acceptable?
>>
>> There's two reasons that this isn't acceptable. One is that DKIM is
>> domain-level signing, not user-level signing, and that's been so since the
>> beginning. DKIM is *intentionally* designed with that as an anti-goal. The
>> second is the historical use of email, where addresses are not accounts.
>
> Deciding whether to apply a DKIM signature based on the submitting user is
> not the same thing as user-level signing. Signers can use any criteria they
> want in deciding whether to sign an outgoing message.
I think that's another facet of what I'm trying to say. The statements in the
message are only loosely connected to the account underneath.
>
>> In that second historic case, it's not acceptable because there are lots of
>> cases out there where there are virtual addresses, not really an account,
>> and yet from time to time a message has to be sent with a `From` of that
>> address.
>
> I have lots of virtual addresses. When submitting a message to my outgoing
> MTA, I still authenticate to it as myself. If my outgoing MTA served multiple
> users, it should check whether the From address corresponded to my account.
> In the situation Ale is considering, the decision on whether to sign or not
> would depend on the submitting user, which is not necessarily the From
> address on the message.
Yes, this is exactly my use case, too, and many MTAs let an authenticated user
send anything they want. Many others accept an arbitrary message, but might
later on, bounce it back to user.
I think we're in violent agreement on this?
Jon
_______________________________________________
Ietf-dkim mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf-dkim
