On Sep 7, 2023, at 6:15 PM, Evan Burke <[email protected]> wrote: On Thu, Sep 7, 2023 at 10:17 AM Murray S. Kucherawy <[email protected]<mailto:[email protected]>> wrote: On Thu, Sep 7, 2023 at 10:03 AM Dave Crocker <[email protected]<mailto:[email protected]>> wrote:
Keys cannot be rotated fast enough to be useful within the time frame that attackers work in. Key rotation works in a timeframe of days or weeks. Attackers work in the timeframe of minutes. I think we disqualified use of "x=" as a mitigation on the same basis. To be clear, for us x= was one of the most effective defenses against large-scale replay attacks. Not perfect, obviously, but applied carefully and in conjunction with header oversigning, it created a significantly narrower window for attacks, and reduced the potential financial return to attackers from replay spam. I would note that the effectiveness of x= for reducing replay risk will likely vary considerably from signer to signer, depending on a number of factors; we may be better positioned than many signers in that respect. +1 Signature expiration seemed to be a very helpful deterrent for us too. While a very limited dataset, the replay attacks that I’ve seen over the last few months mostly seem to focus on domains that don’t expire signatures. Brian _______________________________________________ Ietf-dkim mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-dkim
_______________________________________________ Ietf-dkim mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-dkim
