On 1/16/2024 3:57 PM, Evan Burke wrote:
DKIM Replay re-sends an /unmodified/ copy of the message, where
only the SMTP RCPT-To is different. DKIM doesn't (and can't)
cover that SMTP command.
I'd call it DKIM replay if the signature is intact.
You are, of course, free to use any term you want, in any way you want.
However for group discussions to be productive, common, shared
terminology is needed.
The term "DKIM Replay" has become a term of art, referring to efforts at
countering a specific form of abuse, and it is the form I described.
One of the difficulties in getting traction with the effort -- beyond
the actual technical challenges -- has been various people's tendency to
use the term more broadly, generally for any type of abuse-based
forwarding of existing text that was signed.
The issue is not whether those broader concerns are... concerns. They
are. But the topic of DKIM Replay has to do with a scenario that is
affected by things like oversigning.
Without oversigning those headers, DKIM would pass,
Yes, oversigning is useful. And it has been useful for a very long
time. It is important to do. So it is good to have DKIM modules
support this capability.
However the abuse scenarios which are reduced or eliminatoversigning are
outside the scope of the recent abuse that is being called DKIM Replay.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker@mastodon.social
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim