On 11/15/2016 11:17 AM, Martijn Grooten wrote:
On Tue, Nov 15, 2016 at 11:56:11AM -0600, Scott Kitterman wrote:
Not at all. As I understand the scenario, the provider knows it's
bad, doesn't send the mail on to the outside world, but still gives a
signed copy back to the originator (which is then available for
replay).
My understanding is an attack where the email is sent to an outside
address owned by the sender, who then gets a copy of the email, signed
by the provider who didn't think the email was bad.
Signing an email that you know is bad does indeed sound like a bad
idea.
That's not how i read it, but even if it was it would still require the
mail be signed by a provider which presumably should pass judgment on it
to decide to sign or not. If they signed something bad, they own the
ding on their reputation, or whatever.
It's not like you can change the bits in the mail once they're signed
and still keep a valid signature, so I'm not seeing what the problem is
here.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html