-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <f7a46a8e-6e19-458f-a34c-93d70ed7d...@mtcc.com>, Michael Thomas <m...@mtcc.com> writes
> Ok, I think I might be getting it. So the inclusion of the mf= and > rt= is basically signaling to the receiver that the signer wants to > limit the scope of what sort of forwarding it finds acceptable. that is not what those tags are for ... they are to provide signal to a receiver that a message has been sent to it by a third party who was not envisaged to be in possession of a copy. This third party is very likely sending it to a lot of other people as well and so it would be unwise to accept the email as I write individual emails from Docusign (legitimate emails with entirely valid signatures ... but with fraudulent content that DocuSign have unfortunately overlooked) are being replayed to tens or hundreds of thousands of recipients. Mailbox providers tend to accept these emails (after all, they are legitimately signed) unless they see so many copies that the replay can be detected. DKIM2 would prevent this type of attack ... emails could only be sent directly from Docusign -- who have velocity checks that would prevent mass market fraud... [not to pick on Docusign, other document signing companies are being exploited in a similar manner as well] > This seems relatively straightforward for an ESP to always add > those tags and hope for the best, but what if it wasn't an ESP? > What if it's normal corpro mail where some of it is transactional > and some of it just normal user-user email. Will the MTA be tasked > with deciding which need to add those tags and those where it > shouldn't? in DKIM2 every MTA always adds the tags to every email. > PPS: I'm don't understand why this requires the rt= to be limited > to just one address. simplicity ... at the point at which an email is being signed it is not possible to know how many recipients the receiving MTA will accept after each MAIL FROM - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBZ9duBWHfC/FfW545EQLsPwCeIuZnPxZZCt8o5Z631N9jj9gow3IAnA7R CZVJ6UIi2qUI2P168L8VADWr =PqUw -----END PGP SIGNATURE----- _______________________________________________ Ietf-dkim mailing list -- ietf-dkim@ietf.org To unsubscribe send an email to ietf-dkim-le...@ietf.org
