On Wed, 2005-01-12 at 18:27 +0000, John Levine wrote:
I do note that you're actually somewhat vulnerable to this replay even
with signed bodies.
[ replay mail from legit free provider ]
This puts the free email provider in the position of needing to revoke
the key I'm using, but they cannot do that until the other mail signed
with that key has had a chance to flow through the system.
If it were my ISP, I'd just cancel the account. I'd only cancel a key
if I found that it had leaked and unknown parties were using it to
sign mail. The signature means that the original sender and recipient
addresses are real, if someone wants to further pursue the miscreant.
The most that a signature can do is to identify the responsible party.
There's no point in adding cruft that attempts to go beyond that.
A domain, becoming aware of a problem with an account, can close this
account, but this does not disable the already signed message when a key
is globally used for the domain. Millions of copies of this signed
message may be sent from spam friendly providers well beyond the control
of the signing domain. This would not help their reputation.
Do you think closing the account is enough or should there be a means
within the signature mechanism to invalidate known bad accounts/messages
within a time period shorter than a week?
Should there be a standardized account revocation list? This could be
something like a blackhole list for accounts off of the domain in
_arl.<localpart>.<signature domain>.tld A RR 127.0.0.1
If there is a record, then negate acceptance of the signature?
Do you expect filtering to be the ultimate solution