On Fri, May 2, 2014 at 7:42 AM, John R Levine <johnl(_at_)taugh(_dot_)com>
wrote:
I don't see any replay protection in here at all. Nothing that says to
keep the signature expiration relatively short, and nothing which a mailing
list recipient could not subsequently use to send spam. The first issue
just needs a mention. It's the second issue that needs to be addressed IMO:
Yeah, that occurred to me about five minutes after I posted it. Here's a
tweaked version where the mf tag is now mf=list.domain, with handwaving
about how a may-forward signature doesn't count unless there's also a
signature from the list domain. Given lengthy discussions about how little
abuse comes from real mailing lists, that'd probably be adequate.
http://datatracker.ietf.org/doc/draft-levine-may-forward/
If we want to pursue a may-forward approach, this looks like a good
starting point to me.
I wouldn't bother with what you've proposed.
Neither would I. Whitelisting solves this problem far better.
If we're discarding may-forward, then it seems to me we might be better off
talking about a whitelist publish/query mechanism that deserves
standardization here. Does VBR or a slight modification to it suffice, or
do we want something else?
-MSK
_______________________________________________
ietf-822 mailing list
ietf-822(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-822