[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Amir Herzberg
I have only one real reservation. In section 6.3, discussing
the message replay attack, esp. in 2nd paragraph... It is
presented as if DKIM cannot be applied against replay since
replay is indistinguishable from acceptable acts e.g.
forwarding. This is not necessarily true. A legitimate
application of DKIM may require senders to indicate specific
recipient; this would allow replay prevention, of course in
the price of requiring additional support to deal with
legitimate forwarding.
Actually I think it might work for the limited set of cases where replay
is a spam threat.
The replay attack is largely limited to public ISPs, in particular free
webmail accounts. It may not be a huge burden to these to sign the
recipient list.
Recipient lists do get changed in flight of course, forwarders do this.
But an intelligent receiver can certainly make some educated guesses and
the level of intelligence required is much less than we already require
for our existing spam engine.
There is also the policy revocation hack I have described.
I'm not suggesting DKIM should be
modified to support that, indeed this is not required at DKIM
level at all, but I think the text now seems to exclude this
usage, and this should be fixed imho.
I suggest the text be fixed to say that DKIM does not by itself provide
a full and effective control against this attack but may be extended to
do so.
Here are few additional, minor comments:
1. You use the term `zombie` without definition in p. 2, then
`compromised computers` later (in 5.1)... pick one; my
suggestion: use `zombie` and in the first use, add
`(compromised computers)`.
I would use the term 'compromised computers'. The less jargon we use the
better, particularly in a technical forum.
I was in a recent meeting where people were throwing around the term
'pharming'. Thirty minutes into the meeting I realized that people were
using two completely different definitions.
5. In 5.2.1: last sentence is imho misleading. Such malware
usually/often does not use the email address of the owner of
the infected machine, but selects other email addresses as
sender, to avoid detection. In this case, DKIM may help. I
also think the term `malware` is better than `worm` here.
In general I would avoid the terms worm and virus because they are now
obsolete. The real threats we see today are blended. Distinguishing
between the two categories was always rather bogus, now there is no
useful distinction.
I am particularly sad to see companies treating anti-spyware as a
separate category from anti-virus. It's the same crap, one product
should do it all.
_______________________________________________
ietf-dkim mailing list
http://dkim.org