ietf-822
[Top] [All Lists]

Re: [ietf-822] one can re-sign without a permission to re-sign header

2014-05-02 09:42:45
I don't see any replay protection in here at all. Nothing that says to keep the signature expiration relatively short, and nothing which a mailing list recipient could not subsequently use to send spam. The first issue just needs a mention. It's the second issue that needs to be addressed IMO:

Yeah, that occurred to me about five minutes after I posted it. Here's a tweaked version where the mf tag is now mf=list.domain, with handwaving about how a may-forward signature doesn't count unless there's also a signature from the list domain. Given lengthy discussions about how little abuse comes from real mailing lists, that'd probably be adequate.

http://datatracker.ietf.org/doc/draft-levine-may-forward/

I wouldn't bother with what you've proposed.

Neither would I.  Whitelisting solves this problem far better.

Regards,
John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
ietf-822 mailing list
ietf-822(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-822