On 1/29/25 6:20 PM, Murray S. Kucherawy wrote:
On Wed, Jan 29, 2025 at 3:12 PM Michael Thomas <m...@mtcc.com> wrote:
I understand that if you can revert the modifications and verify the
signature, you can then associate the reputation of the originating
domain with the original's canonical text (but you'd have to evaluate
the rest in a separate context). Which seems interesting, but are
people
thinking that there is more to it than that? Like it would
potentially
drive more deployment of DMARC p=reject? Or is there something
else I'm
missing?
A priori, I wouldn't think it would really help p=reject for various
reasons, but I'd be interested to hear what the motivation is.
My own motivation is the former, not the latter. That is, yes I would
like to recover the author domain signature if we can come up with a
relatively robust way to do that without creating a security hole; no,
my motivation has nothing to do with enabling uptake of "p=reject",
though that might be a side effect that I think others would find
beneficial.
It still creates a security hole. But maybe a more tractable one; we
shouldn't cop attitude that it doesn't. There are tradeoffs to both
approaches. Security is a risk/reward thing, after all.
I think I recall that the group initiating this effort sees this new
thing as something that could supplant DMARC, but they're free to
correct me if I've got that wrong.
Really? Yikes. Really, there is nothing new under the sun. All of this
is basically SSP as far as DKIM goes.
Mike
_______________________________________________
Ietf-dkim mailing list -- ietf-dkim@ietf.org
To unsubscribe send an email to ietf-dkim-le...@ietf.org
