[Ietf-dkim] Re: Malicious Modification was: My concerns

Wed, 16 Apr 2025 12:54:25 -0700 

On 4/16/2025, Richard Clayton wrote:
(snip)

One of the goals of DMARC was "Anti-Phishing", but if DKIM2 allows for
hijacking of messages in flight, and a reuse of authenticated emails,
then I would suggest that there exists significant motivation for
miscreants to abuse this feature.


DKIM2 does not "allow for hijacking" any more or less than is the case
for existing mail flows. The difference is that some legitimate mail
flows (mailing lists for example) are currently unable to document what
changes they have made and you have to take what they give you on trust.
DKIM2 also requires trust, but you get to verify as well.




You are correct and I agree completely that the exact same problem 
exists for current and historical mail flows.



I just wish that things like mailing lists didn't do that.  In fact, I 
have been told recently that some will formulate messages differently 
based on the sender's envelope's DMARC policy.  I have not been able to 
verify this yet.



I would like to make the argument that such modification to the end-user 
viewable parts of the message, like what is happening on this list, is 
superfluous E.g.;



> Subject: [Ietf-dkim] [...]
[...]

_______________________________________________
Ietf-dkim mailing list -- ietf-dkim@ietf.org
To unsubscribe send an email to ietf-dkim-le...@ietf.org



Superfluous because of RFCs 2369, 2919, and 8058...  I'm sure that there 
are others.  E.g;


List-Id: IETF DKIM List <ietf-dkim.ietf.org>
Archived-At:
 <https://mailarchive.ietf.org/arch/msg/ietf-dkim/oWLzqg_CY_5pAoQcSTqlcxR6J2M>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim>
List-Help: <mailto:ietf-dkim-requ...@ietf.org?subject=help>
List-Owner: <mailto:ietf-dkim-ow...@ietf.org>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Subscribe: <mailto:ietf-dkim-j...@ietf.org>
List-Unsubscribe: <mailto:ietf-dkim-le...@ietf.org>


I would suggest that perhaps the MUAs could, and perhaps should, display 
these sorts of data elements to the user without a need to modify the 
email messages in ways that would break crypto-signing.



--
SgtChains



_______________________________________________
Ietf-dkim mailing list -- ietf-dkim@ietf.org
To unsubscribe send an email to ietf-dkim-le...@ietf.org






















					Reply via email to