Jim Fenton wrote:
In preparing for the WG meeting I realized that there had been no
response to this. Read on for my attempt to collect a free beer :-) .
You're certainly in the lead!
Stephen Farrell wrote:
OTOH, this could be included just as a variant of chosen message
replay, which'd be easier on the editor since it'd only add a
paragraph to that section.
Yes, I'd prefer that we just add a paragraph to the chosen message
replay section. Here's what I have in mind (insert following paragraph
2 of section 4.1.4):
A variation on this attack involves the attacker sending a message with
the intent of obtaining a signed reply containing their original
message. The reply might come from an innocent user, or might be an
automatic response such as a "user unknown" bounce message. In some
cases, this signed reply message might accomplish the attacker's
objectives if replayed. This variation on chosen message replay can be
mitigated by limiting the extent to which the original content is quoted
in automatic replies, and by the use of complementary mechanisms such as
egress content filtering.
(end of proposed text)
I'm a little uncomfortable with adding what might be seen as a
dependency on content filtering here; as far as I know we have no
similar reference elsewhere. How do others feel?
I think the text above is ok, but agree that its a pity to
have to indicate a need for outbound content filtering. Be
nice if there were other tools to bring to bear, but I can't
think of any right now.
S.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html