On 02/05/2014 15:42, John R Levine wrote:
I don't see any replay protection in here at all. Nothing that says
to keep the signature expiration relatively short, and nothing which
a mailing list recipient could not subsequently use to send spam. The
first issue just needs a mention. It's the second issue that needs to
be addressed IMO:
Yeah, that occurred to me about five minutes after I posted it. Here's
a tweaked version where the mf tag is now mf=list.domain, with
handwaving about how a may-forward signature doesn't count unless
there's also a signature from the list domain. Given lengthy
discussions about how little abuse comes from real mailing lists,
that'd probably be adequate.
http://datatracker.ietf.org/doc/draft-levine-may-forward/
Could this be 'extended' to include message-ids in the MF signature?
That would provide some replay protection, especially if the forwarder
checks for duplicate message-ids (the recipient could also check for
dupes). Without it, I could see one of your messages on a list, then
send messages to everyone on the list, pretending to be you.
-
Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
_______________________________________________
ietf-822 mailing list
ietf-822(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-822