On November 13, 2016 1:50:05 AM EST, "Murray S. Kucherawy"
<superuser(_at_)gmail(_dot_)com> wrote:
I've posted a draft that attempts to address an attack that's begun to
appear with DKIM. Interestingly, we called it out as a possible attack
in
RFC6376 and even RFC4871, but now it's apparently happening and being
annoying enough that people (I believe from the MAAWG community) are
asking
if there's a protocol solution that's possible.
https://datatracker.ietf.org/doc/draft-kucherawy-dkim-rcpts/
Comments welcome.
Wouldn't a DMARC option to allow senders to specify only messages that pass
verification and alignment for BOTH SPF and DMARC accomplish the same result
with less complexity and without the layering violation inherent in this
proposal?
DMARC seems to be the policy engine of choice in the community (for better or
for worse). I think addressing this at the policy level makes more sense than
changing the semantics of DKIM signatures after almost a decade of deployment.
Scott K
P.S. With my Debian OpenDKIM maintainer hat on, I'm not immediately convinced
I'd want to enable this feature. I don't know if other distro maintainers are
on this list or not, but that's one opinion. It's not guaranteed to be widely
deployed.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html