The point is that replay protection is _critical_ for automated
reputation and compensation mechanisms.
People keep saying this as though it's obvious. I must be unusually dim
today because it's not obvious at all to me, and doesn't seem to have been
obvious to designers of previous signature systems.
Do you check CRLs on S/MIME mail? (They are turned off by default in many
MUAs.) PGP seems to have no way to deal with replay at all. Is that why
it hasn't caught on?
Doug has offered the only scenario so far of a replay attack, which is
very helpful to figuring out what the threat is. His scenario boils down
to one of a domain's users being a spammer, which would be a problem
whether or not his spam was being remailed.
That's a reasonable concern, we should look at ways to deal with it.
One approach is to give each user (or at least each untrustworthy user) a
separate selector, so you can withdraw the selector if the user turns
bad. It might be worth adding a flag to the DNS record that says that
even though the signature is good, the mail is bad, a stronger statement
than merely voiding the selector.
But really, the threat model for replay isn't there. The examples are all
exotic, contrived, and implausible, the remedies worse than the purported
disease. Let's deal with serious threats, OK?
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.
_______________________________________________
ietf-dkim mailing list
ietf-dkim(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/ietf-dkim