On Mon, May 5, 2014 at 1:50 AM, Paul Smith <paul(_at_)pscs(_dot_)co(_dot_)uk>
wrote:
On 02/05/2014 15:42, John R Levine wrote:
I don't see any replay protection in here at all. Nothing that says to
keep the signature expiration relatively short, and nothing which a mailing
list recipient could not subsequently use to send spam. The first issue
just needs a mention. It's the second issue that needs to be addressed IMO:
Yeah, that occurred to me about five minutes after I posted it. Here's a
tweaked version where the mf tag is now mf=list.domain, with handwaving
about how a may-forward signature doesn't count unless there's also a
signature from the list domain. Given lengthy discussions about how little
abuse comes from real mailing lists, that'd probably be adequate.
http://datatracker.ietf.org/doc/draft-levine-may-forward/
Could this be 'extended' to include message-ids in the MF signature?
That would provide some replay protection, especially if the forwarder
checks for duplicate message-ids (the recipient could also check for
dupes). Without it, I could see one of your messages on a list, then send
messages to everyone on the list, pretending to be you.
I was wondering if we wanted a new canonicalization which would allow for
the Subject to be included but stripped of "standard" MLM subject prefixes,
ie something similar to the reply_regexp in mutt (
http://www.mutt.org/doc/devel/manual.html#reply-regexp)
Brandon
_______________________________________________
ietf-822 mailing list
ietf-822(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-822