Re: [Ietf-dkim] Replay attack definition discussion

Wed, 16 Aug 2023 10:58:14 -0700 


> On Aug 16, 2023, at 10:25, Alessandro Vesely <ves...@tana.it> wrote:
> 
> To repeat my questions, then, would limiting (qualified) DKIM signatures to 
> verified accounts diminish replay attacks by any amount?  Is this kind of 
> solution acceptable?

There's two reasons that this isn't acceptable. One is that DKIM is 
domain-level signing, not user-level signing, and that's been so since the 
beginning. DKIM is *intentionally* designed with that as an anti-goal. The 
second is the historical use of email, where addresses are not accounts.

In that second historic case, it's not acceptable because there are lots of 
cases out there where there are virtual addresses, not really an account, and 
yet from time to time a message has to be sent with a `From` of that address.

Example: there's i...@example.com, and that goes to both Alice and Bob, via a 
Postfix virtual address (or an internal organization group). There's no account 
of info, the vast majority of the time email is only incoming, but from time to 
time a message has to be sent From that. On that, take the case where spam 
starts coming in from ads@store and to unsubscribe they have to send a message 
from info, not Alice nor Bob. 

There's even a single-person version of this, the user+t...@example.com 
convention, and variations on that, such as the way that Gmail considers a dot 
to be optional. The address first.last@gmail is the same as firstlast@gmail and 
even f.i.r.s.t.l.a.s.t@gmail.  

In a real-world example of the broader issue, my partner and I have an email 
address that goes to the both of us. It's the contact email for airlines, 
concerts, and so on, so that we both get it. A few years ago, it was literally 
a Postfix virtual entry. Presently, it's a Google Group because there's no 
equivalent of a virtual fan-out there. Once or twice a year one of us has to 
send a message from there. We don't want a separate account because that costs 
money (and is annoying).

The bottom line is that ambiguous, organizational, and virtual addresses exist, 
and have to be taken into consideration. 

        Jon
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim

























					Reply via email to