On Thu, Aug 17, 2023 at 2:06 PM Alessandro Vesely <ves...@tana.it> wrote:
> On Thu 17/Aug/2023 18:21:35 +0200 Murray S. Kucherawy wrote: > > On Thu, Aug 17, 2023 at 3:30 AM Alessandro Vesely <ves...@tana.it> > wrote: > > > >>> I'm not convinced advice is necessary here. Do you really need signs > in > >>> banks that say "Don't put your signature on random financial > documents"? I > >>> have to believe that people understand what it means to sign > something, and > >>> why they shouldn't do that. > >> > >> Well, when banks don't do that, they're in bad faith. Consider, for > >> example, derivative financial contracts conceived so that nobody is > able > >> to read them —banks don't even try to print them. Decadent practices. > > > I don't know what you mean by "decadent", here or below. > > > > I disagree about the "bad faith" claim. I think everyone with their own > > agency understands what it means to affix their signature to something. > > It's on them to understand that fully, or assume the risks of not being > > diligent. > > > When a customer who is dedicating (part of) an afternoon to banking has to > /fully understand/ a 600 page agreement, the only choice he has is to > assume > the risk and blindly trust the bank. You may disagree that that is bad > faith. > It's the kind of thing I'd call decadent. > > > > In the case of high volume operations like scanning email, the scale > forces > > you to play the odds that your inbound filtering gets it right a high > > enough percentage of the time that you're able to cope somehow with the > > things that slip through. > > > Yeah, here too you are forced to take the risk. Domains who trust their > users > have easier options. > > > >> Domains cannot "read" the messages they sign. Some MPs may have > wonderful > >> anti-spam filters, but that's still not the same as reading and signing > an > >> agreement. We need to dismantle the agreement metaphor a bit. > > > > The logical extension of this line of thinking is that message > > authentication isn't meaningful. Is that where you're going with this? > > > No, the opposite. Message authentication allows a system to vet messages > without understanding their content, if it trusts the authenticated > entities. > > > >> On the other hand, there are domains which blindly sign anything their > >> users write, enacting only minimal limits to prevent abuse in case of > >> compromised credentials. They can afford doing so because, for > example, > >> users are employees and are known in person. Do such domains > experience > >> replay attacks? > > > Likely. So? > > > If corporate domains are victims of replay attacks at the same rate as > free > mail providers, then my theory is wrong. See below. > Ale, I think there is a lot of value in what you are saying about verification of identities and segmentation of the authenticating domain based on the tier of verification that was performed. BUT, I think this is a good idea that is separate from DKIM Replay. Specifically, we do see non-free mail providers as victims of DKIM Replay as well. For example, we have seen very large DKIM Replay attacks of youtube.com Terms of Service emails. There is no malicious content in these emails, but spammers still send very large volumes (perhaps using them to generate affinity with victims or warm up their sending infrastructure).
_______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim
