On May 26, 2007, at 8:49 PM, SM wrote:
At 16:40 26-05-2007, Douglas Otis wrote:
Mitigation might need to be better defined:
A) the SMTP RCPT TO is within the signed portion of the message,
B) or when a _confirmed_ SMTP client is within the DKIM domain.
Both A and B would affect DKIM verification if the message goes
through a mailing list or a forwarder.
DKIM operates entirely on the content of the message (RFC 4686
Section 1.1). Your requirement goes against that. Maybe you could
use "revocation identifiers" as described in the Chosen Message
Replay scenario.
Neither suggested replay abuse mitigation strategy affects
verification of the DKIM signature, nor has the WG addressed this
concern.
Many hope to base reputation upon the DKIM domain. However DKIM
domain reputation will impact delivery for many more messages than
just those being forwarded.
As example, the DOSP draft indicates signing policy and can mitigate
replay abuse to accommodate forwarding sources, mailing-lists, and
BCC messages. Importantly, any such similar scheme eliminates
dangers associated with SPF as currently the only other alternative!
Otherwise, the DKIM WG must make a very strong statement DKIM is only
suitable for emails addressed specifically to the recipient due to
replay abuse mitigation concerns.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
